Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. trunk
authormanu <manu@NetBSD.org>
Sat, 09 Sep 2006 16:22:08 +0000
branchtrunk
changeset 150814 46b4faae8ef2
parent 150813 9224b88f96c9
child 150815 83b991514914
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
crypto/dist/ipsec-tools/ChangeLog
crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h
crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h
crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h
crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h
crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h
crypto/dist/ipsec-tools/src/libipsec/key_debug.c
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
crypto/dist/ipsec-tools/src/libipsec/pfkey.c
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
crypto/dist/ipsec-tools/src/libipsec/policy_token.l
crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c
crypto/dist/ipsec-tools/src/libipsec/test-policy.c
crypto/dist/ipsec-tools/src/racoon/admin.c
crypto/dist/ipsec-tools/src/racoon/admin.h
crypto/dist/ipsec-tools/src/racoon/admin_var.h
crypto/dist/ipsec-tools/src/racoon/algorithm.c
crypto/dist/ipsec-tools/src/racoon/algorithm.h
crypto/dist/ipsec-tools/src/racoon/backupsa.c
crypto/dist/ipsec-tools/src/racoon/backupsa.h
crypto/dist/ipsec-tools/src/racoon/cfparse.y
crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h
crypto/dist/ipsec-tools/src/racoon/cftoken.l
crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
crypto/dist/ipsec-tools/src/racoon/debug.h
crypto/dist/ipsec-tools/src/racoon/debugrm.c
crypto/dist/ipsec-tools/src/racoon/debugrm.h
crypto/dist/ipsec-tools/src/racoon/dhgroup.h
crypto/dist/ipsec-tools/src/racoon/dnssec.c
crypto/dist/ipsec-tools/src/racoon/dnssec.h
crypto/dist/ipsec-tools/src/racoon/dump.c
crypto/dist/ipsec-tools/src/racoon/dump.h
crypto/dist/ipsec-tools/src/racoon/eaytest.c
crypto/dist/ipsec-tools/src/racoon/evt.c
crypto/dist/ipsec-tools/src/racoon/evt.h
crypto/dist/ipsec-tools/src/racoon/gcmalloc.h
crypto/dist/ipsec-tools/src/racoon/genlist.c
crypto/dist/ipsec-tools/src/racoon/genlist.h
crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c
crypto/dist/ipsec-tools/src/racoon/gnuc.h
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h
crypto/dist/ipsec-tools/src/racoon/gssapi.c
crypto/dist/ipsec-tools/src/racoon/gssapi.h
crypto/dist/ipsec-tools/src/racoon/handler.c
crypto/dist/ipsec-tools/src/racoon/handler.h
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
crypto/dist/ipsec-tools/src/racoon/isakmp.c
crypto/dist/ipsec-tools/src/racoon/isakmp.h
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
crypto/dist/ipsec-tools/src/racoon/isakmp_base.h
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h
crypto/dist/ipsec-tools/src/racoon/isakmp_newg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_newg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.h
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h
crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
crypto/dist/ipsec-tools/src/racoon/kmpstat.c
crypto/dist/ipsec-tools/src/racoon/localconf.c
crypto/dist/ipsec-tools/src/racoon/localconf.h
crypto/dist/ipsec-tools/src/racoon/logger.c
crypto/dist/ipsec-tools/src/racoon/logger.h
crypto/dist/ipsec-tools/src/racoon/main.c
crypto/dist/ipsec-tools/src/racoon/misc.c
crypto/dist/ipsec-tools/src/racoon/misc.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael_local.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.h
crypto/dist/ipsec-tools/src/racoon/missing/strdup.c
crypto/dist/ipsec-tools/src/racoon/nattraversal.c
crypto/dist/ipsec-tools/src/racoon/nattraversal.h
crypto/dist/ipsec-tools/src/racoon/netdb_dnssec.h
crypto/dist/ipsec-tools/src/racoon/oakley.c
crypto/dist/ipsec-tools/src/racoon/oakley.h
crypto/dist/ipsec-tools/src/racoon/pfkey.c
crypto/dist/ipsec-tools/src/racoon/pfkey.h
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
crypto/dist/ipsec-tools/src/racoon/plog.c
crypto/dist/ipsec-tools/src/racoon/plog.h
crypto/dist/ipsec-tools/src/racoon/policy.c
crypto/dist/ipsec-tools/src/racoon/policy.h
crypto/dist/ipsec-tools/src/racoon/privsep.c
crypto/dist/ipsec-tools/src/racoon/privsep.h
crypto/dist/ipsec-tools/src/racoon/proposal.c
crypto/dist/ipsec-tools/src/racoon/proposal.h
crypto/dist/ipsec-tools/src/racoon/prsa_par.y
crypto/dist/ipsec-tools/src/racoon/prsa_tok.l
crypto/dist/ipsec-tools/src/racoon/racoon.8
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
crypto/dist/ipsec-tools/src/racoon/racoonctl.8
crypto/dist/ipsec-tools/src/racoon/racoonctl.c
crypto/dist/ipsec-tools/src/racoon/racoonctl.h
crypto/dist/ipsec-tools/src/racoon/remoteconf.c
crypto/dist/ipsec-tools/src/racoon/remoteconf.h
crypto/dist/ipsec-tools/src/racoon/rsalist.c
crypto/dist/ipsec-tools/src/racoon/rsalist.h
crypto/dist/ipsec-tools/src/racoon/safefile.c
crypto/dist/ipsec-tools/src/racoon/safefile.h
crypto/dist/ipsec-tools/src/racoon/sainfo.c
crypto/dist/ipsec-tools/src/racoon/sainfo.h
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.in
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-inherit
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-plainrsa
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/phase1-up.sh
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius
crypto/dist/ipsec-tools/src/racoon/schedule.c
crypto/dist/ipsec-tools/src/racoon/schedule.h
crypto/dist/ipsec-tools/src/racoon/session.c
crypto/dist/ipsec-tools/src/racoon/session.h
crypto/dist/ipsec-tools/src/racoon/sockmisc.c
crypto/dist/ipsec-tools/src/racoon/sockmisc.h
crypto/dist/ipsec-tools/src/racoon/str2val.c
crypto/dist/ipsec-tools/src/racoon/str2val.h
crypto/dist/ipsec-tools/src/racoon/strnames.c
crypto/dist/ipsec-tools/src/racoon/strnames.h
crypto/dist/ipsec-tools/src/racoon/throttle.c
crypto/dist/ipsec-tools/src/racoon/throttle.h
crypto/dist/ipsec-tools/src/racoon/var.h
crypto/dist/ipsec-tools/src/racoon/vendorid.c
crypto/dist/ipsec-tools/src/racoon/vendorid.h
crypto/dist/ipsec-tools/src/racoon/vmbuf.c
crypto/dist/ipsec-tools/src/racoon/vmbuf.h
crypto/dist/ipsec-tools/src/setkey/extern.h
crypto/dist/ipsec-tools/src/setkey/parse.y
crypto/dist/ipsec-tools/src/setkey/setkey.8
crypto/dist/ipsec-tools/src/setkey/setkey.c
crypto/dist/ipsec-tools/src/setkey/test-pfkey.c
crypto/dist/ipsec-tools/src/setkey/token.l
crypto/dist/ipsec-tools/src/setkey/vchar.h
--- a/crypto/dist/ipsec-tools/ChangeLog	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog	Sat Sep 09 16:22:08 2006 +0000
@@ -1,9 +1,314 @@
+---------------------------------------------
+
+	Migration to cvs.netbsd.org
+
+2006-08-22  Emmanuel Dreyfus  <manu@netbsd.org>
+	
+	From Matthew Grooms:
+	* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h}
+	  src/racoon/racoon.conf.5: Add a group check option
+
+2006-08-17  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	Patch from Matthew Grooms:
+	* src/racoon/ipsec_doi.c: fixed an ASN1 size in
+	  ipsecdoi_checkid1()
+
+2006-08-11  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	Patch from Matthew Grooms:
+	* src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
+	* src/racoon/isakmp_quick.c: text fix
+	* src/racoon/pfkey.c: sainfo debug
+	* src/racoon/sainfo.c: sainfo debug
+
+2006-07-17  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	Reported by Matthew Grooms:
+	* src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
+	get_sainfo_r().
+	* src/racoon/racoon.conf.5: updated man page for sainfo logic. 
+
+2006-07-31  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Matthew Grooms <mgrooms@shrew.net>
+	* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
+	  becomes dynamic, bugfixes 
+
+2006-07-19  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Peter Eisch <peter@boku.net>
+	* src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing
+	  netmask in network interface configuration
+
+	From Matthew Grooms <mgrooms@shrew.net>
+	* configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage
+
+	From Matthew Grooms <mgrooms@shrew.net>
+	* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
+	  support (server side)
+
+2006-07-17  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
+	  Break reported by Matthew Grooms.
+	
+2006-07-13  Frederic Senault  <fred@lacave.net>
+
+	* src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
+	  unoperable on 64bit architectures ; add a packetdump of MODE_CFG
+	  exchange in debug mode.
+
+2006-07-09  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Matthew Grooms <mgrooms@shrew.net>
+	* src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
+	  src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}: 
+	  Group authentication for Xauth. Supports system groups and LDAP.
+
+2006-07-04  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/nattraversal.c: fixed a malloc check in
+	  natt_keepalive_add(). Patch from Bruno Wagenseil.
+
+2006-06-30  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{cfparse.l|cftoken.l}: meaningful error message when 
+	we cannot find the configuration file.
+
+2006-06-24  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Matthew Grooms <mgrooms@shrew.net>
+	* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
+	  configuration obtained from LDAP directory
+
+2006-06-23  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Matthew Grooms <mgrooms@shrew.net>
+	* configure.ac: build fixes 
+
+2006-06-22  Emmanuel Dreyfus  <manu@netbsd.org>
+	* src/racoon/evt.c: build fix
+	From Matthew Grooms <mgrooms@shrew.net>
+	* configure.ac: build fixes around libldap and libiconv search
+
+2006-06-21  Emmanuel Dreyfus  <manu@netbsd.org>
+	* src/racoon/evt.c: Do not record events if admin socket is
+	  disabled.
+
+2006-06-20  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* configure.ac: Check for conflicts between system libiconv
+	  and newer libiconv header
+	From Matthew Grooms <mgrooms@shrew.net>
+	* configure.ac src/racoon/{cfparse.y|cftoken.l}
+	  src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
+	  src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth
+
+2006-06-20  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* configure.ac: fixed SHA256 detection on some systems. Patch by
+	  Dmitry Andrianov.
+	* src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
+	  changed logging levels. Patch by Michal Ruzicka.
+
+2006-06-15  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Matthew Grooms <mgrooms@shrew.net>
+	* src/racoon/main.c: make sure RADIUS is correctly initialized
+
+2006-06-14  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* Makefile.am, src/Makefile.am: fixed make dist on *BSD
+
+2006-06-07  Emmanuel Dreyfus  <manu@netbsd.org>
+	* src/racoon/isakmp_cfg.c: Fix build. 
+
+2006-05-26  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Pawel Jakub Dawidek <pjd@FreeBSD.org>
+	* src/racoon/handler.c: Fix a crash caused by a NULL pointer
+	* src/racoon/oakley.c: Typos
+	* src/racoon/isakmp_base.c: Fix uninitialized buffer
+	* src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)
+
+2006-05-23  Emmanuel Dreyfus  <manu@netbsd.org>
+	* src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so 
+	  do not assume Xauth when preparing a hook script environement.
+	From chunkeey@web.de
+	* src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
+	  build warnings
+	* src/racoon/ipsec_doi.c: Don't free a referenced buffer
+	From Matthew Grooms <mgrooms@shrew.net>
+	* src/racoon/isakmp_cfg.c: Fix for unity local_lan support
+
+2006-05-07  Emmanuel Dreyfus  <manu@netbsd.org>
+	* src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do 
+	  not reconfigure interface sockets when running in privilege 
+	  separation as it will not work. Add debug for setsockopt().
+	* src/racoon/racoonctl.8: Do not tell config reload is completely 
+	  broken (it's only somewhat broken).
+
+2006-05-06  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
+	  memory leak (Coverity)
+	* src/racoon/pfkey.c: Fix memory leak (Coverity)
+	* src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
+	* src/racoon/isakmp.c: Fix memory leak (Coverity)
+	* src/racoon/dnssec.c: Fix memory leak (Coverity)
+	* src/racoon/backupsa.c: Fix memory leak (Coverity)
+	* src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
+	  allocation (Coverity)
+	* src/racoon/isakmp_quick.c: Remove dead code (Coverity)
+	* src/racoon/oakley.c: Remove dead code (Coverity)
+	* src/racoon/crypto_openssl.c: Remove dead code (Coverity)
+
+2006-05-05  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
+	  encapsulation in pk_sendgetspi().
+
+2006-05-04  Yvan Vanhullebus  <vanhu@netasq.com>
+	From Preggna S (spreggna@novell.com)
+	* src/racoon/schedule.h: fixed gnuc.h include.
+	* src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
+	* src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.
+
+2006-05-03  Yvan Vanhullebus  <vanhu@netasq.com>
+	From Joy Latten <latten@austin.ibm.com>
+	* configure.ac: security context support check
+	* src/libipsec/{pfkey.c|pfkey_dump.c}: 
+	  SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support
+	* src/setkey/{parse.ytoken.l}: parses optionnal security context
+	* src/setkey/setkey.8: security context syntax
+
+2006-04-27  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)
+
+2006-04-24  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/isakmp.c: style cleanup in delete_spd()
+
+2006-04-13  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
+	  encapsulation in pk_sendupdate().
+
+2006-04-12  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/ipsec_doi.c: fix memory leaks (Coverity)
+
+2006-04-06  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
+	  src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c}
+	  src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
+	  strdup in the malloc debugging framework, check for strdup failures
+	  (found by Coverity)
+	* src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
+	* src/racoon/schedule.c: Check for NULL pointer
+	* src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
+	  src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check 
+	  that dupsaddr returns non NULL pointers (Coverity)
+	* src/racoon/isakmp_quick.c: Ignore multiple notifications in the 
+	  same message, and do not leak memory (Coverity)
+	* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in 
+	  GSSAPI code (Coverity)
+	* src/racoon/racoonctl.c: fix minor memory leak (Coverity)
+	* src/racoon/isakmp.c: fix memory leak (Coverity)
+	* src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)
+
+2006-04-05  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp_xauth.c: fix unitialized variable, found by 
+	  Coverity
+	* src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
+	  use deleted phase 1 handler after errors, found by coverity
+	* src/racoon/main.c: tell which config file we use
+	* src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
+	  by Coverity
+	* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
+	  handler, found by Coverity
+	* src/racoon/dnssec.c: do not return a free'ed certificate, found by
+	  Coverity
+	* src/racoon/oakley.c: fix stale pointer alias, found by Coverity
+	* src/racoon/throttle.c: do not free current item while walking a
+	  chained list, found by Coverity
+	* src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity
+
+2006-03-18  Emmanuel Dreyfus  <manu@netbsd.org>
+	
+	From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan
+	* src/racoon/isakmp_xauth.c: fix memory leak
+	
+2006-02-25  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Thomas Klausner <wiz@NetBSD.org>
+	* src/racoon/{cfparse.y|handler.h}: typos
+	
+2006-02-23  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/main.c: do not reset isakmp_cfg structure after
+	  config reload.
+
+2006-02-22  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
+	  be really necessary) and DPD VId hash generation
+
+2006-02-17  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
+	  sainfos.
+	* src/racoon/racoon.conf.5: updated sainfos syntax
+	* src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID
+
+2006-02-15  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
+	  levels
+	* src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
+	  generate policy levels
+	* src/racoon/proposal.c: Sets optionnal reqid for generated
+	  policies
+	* src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
+	  specified
+	* src/racoon/racoon.conf.5: updated generate_policy syntax
+
+2006-02-02  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
+	  fails in isakmp_ph1resend()
+
+2006-01-17  Frederic Senault  <fred@lacave.net>
+
+	* src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
+	  peers_identifier keyword.
+
+	* src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
+	  adminsock to allow for racoonctl to stop looping when the
+	  vpn-connect command is used and there is no mode config exchange.
+
 2006-01-08  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/racoon/isakmp_cfg.c: make software behave as the documentation 
 	  advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to 
 	  avoid breaking backward compatibility.
 
+2005-12-19  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/racoon/session.c: Fixed / cleaned up signal handling.
+
+2005-12-13  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/libipsec/samples/*: replaced "obey" mode by "strict" mode.
+
+2005-12-07  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	* src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
+	  disabled (Fred has still some CVS problems).
+	* src/racoon/session.c: Calls isakmp_cfg_init() only if
+	  ENABLE_HYBRID in reload_conf().
+
 2005-12-04  Frederic Senault  <fred@lacave.net>
 
 	* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
@@ -12,9 +317,17 @@
 	  in conjunction with -D to show SADs with the port, allow both get and
 	  delete commands to use bracketed ports if needed.
 
----------------------------------------------
-
-	0.6.3 released
+2005-11-26  Emmanuel Dreyfus  <manu@netbsd.org>
+	
+	* src/racoon/session.c: fix possible race conditions in signal handlers
+	* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when 
+	  reloading configuration, do not new add mode_cfg config to the 
+	  existign one, overwrite it instead.
+
+2005-11-25  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Thomas Klausner <wiz@netbsd.org>
+	* src/racoon/racoon.conf.5: Style changes
 
 2005-11-21  Yvan Vanhullebus  <vanhu@netasq.com>
 
@@ -29,18 +342,43 @@
 	  using IKE test suite from 
 	  http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
 
+2005-11-10  Yvan Vanhullebus  <vanhu@free.fr>
+
+	Patches from Francis Dupont
+	* src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
+	* src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
+	* src/setkey/parse.y: IPPROTO_MH support
+	* src/racoon/pfkey.c: fixed some logs
+	* src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
+	  appropriate define for SADB_X_NAT_T_NEW_MAPPING, added
+	  SADB_X_MIGRATE
+
 2005-11-06  Aidas Kasparas  <a.kasparas@gmc.lt>
-
-	* src/racoon/main.c, src/racoon/session.c: moved .pid file writing
-	  just before main loop. Thanks Stephen Thorne
-	* src/racoon/localconf.h, src/racoon/cftoken.l: introduced 
-	  path pidfile directive
-	* src/racoon/racoon.conf.5: documented above
-	* configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan 
-	  Rajagopal
-	* configure.ac: added check for strlcat function
-	* src/racoon/misc.h: define strlcat function for systems without one
-	* src/racoon/remoteconf.c: strncat -> strlcat
+ 
+ 	* src/racoon/main.c, src/racoon/session.c: moved .pid file writing
+ 	  just before main loop. Thanks Stephen Thorne
+ 	* src/racoon/localconf.h, src/racoon/cftoken.l: introduced 
+ 	  path pidfile directive
+ 	* src/racoon/racoon.conf.5: documented above
+ 	* configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan 
+ 	  Rajagopal
+ 	* configure.ac: added check for strlcat function
+ 	* src/racoon/misc.h: define strlcat function for systems without one
+ 	* src/racoon/remoteconf.c: strncat -> strlcat
+ 
+2005-11-01  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks 
+	Andreas Tobler
+
+2005-10-30  Yvan Vanhullebus  <vanhu@netasq.com>
+
+	Patches from Christoph Nadig for compilation on MacOS X
+	* configure.ac: no lcrypt for darwin
+	* src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
+	* src/racoon/isakmp_cfg.c: some includes and some %zu
+	* src/racoon/isakmp_unity.c: fixed a %zu
+	* src/racoon/vmbuf.h: vfree already defined for Apple
 
 2005-10-17  Aidas Kasparas  <a.kasparas@gmc.lt>
 
@@ -51,41 +389,28 @@
 	* src/racoon/ipsec-doi.c: adopted to above
 	* src/racoon/racoon.conf.5: documented above
 	
-2005-10-14  Emmanuel Dreyfus  <manu@netbsd.org>
+2005-09-14  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *
 
----------------------------------------------
-
-	0.6.2 released
-
 2005-10-14  Yvan Vanhullebus  <vanhu@netasq.com>
 
 	* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
 	  USER_FQDNs (problem reported by Bernhard Suttner).
 
----------------------------------------------
-
-	0.6.2.beta3 released
-
-2005-09-05   Emmanuel Dreyfus  <manu@netbsd.org>
-
-	From Andreas Hasenack <ahasenack@terra.com.br>
-	* configure.ac: More build fixes for Linux
-
----------------------------------------------
-
-	0.6.2.beta2 released
-
-2005-09-04  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	From Wilfried Weissmann
-	* src/libipsec/policy_parse.y src/racoon/{ipsec_doi.c|oakley.c}
+2005-09-10  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
+	  src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for
+	  kernel implementing NAT-T but unable to cope with IKE ports in 
+	  SAD and SPD.
+
+2005-09-05  Emmanuel Dreyfus  <manu@netbsd.org>
+	
+	From Wilfried Weissmann:
+	* src/libipsec/policy_parse.y src/racoon/oakley.c
 	  src/racoon/{sockmisc.c|sockmisc.h}: build fixes
 
----------------------------------------------
-
-	0.6.2.beta1 released
 
 2005-09-03  Emmanuel Dreyfus  <manu@netbsd.org>
 
@@ -94,10 +419,6 @@
 
 2005-08-26  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/racoon/cfparse.y: handle xauth_login correctly
-	* src/racoon/isakmp.c: catch internal error
-	* src/raccon/isakmp_agg.c: fix racoon as Xauth client
-	* src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
 	* src/racoon/evt.c: Fix memory leak when event queue overflows
 
 2005-08-23  Emmanuel Dreyfus  <manu@netbsd.org>
@@ -111,19 +432,20 @@
 	* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
 	  ISAKMP mode config without Xauth.
 
-2005-09-16  Yvan Vanhullebus  <vanhu@free.fr>
+2005-08-16  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Thomas Klausner <wiz@netbsd.org>
+	* src/setkey/setkey.8: remove trailing whitespaces
+
+2005-09-09  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/policy.c: Do not parse all sptree in inssp() if we
 	  don't use Policies priority.
 
-2005-08-15  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	From: Thomas Klausner <wiz@netbsd.org>
-	src/setkey/setkey.8: Drop trailing spaces
-
----------------------------------------------
-
-	0.6.1 released
+2005-08-20  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.c: Fixed a possible crash in
+	  remove_ph2(). Reported by Dietmar Eggemann.
 
 2005-08-14  Emmanuel Dreyfus  <manu@netbsd.org>
 
@@ -144,10 +466,6 @@
 	* src/racoon/privsep.c: Fixed a %d -> %zu in
 	port_check() (reported by Matthias Scheler).
 
----------------------------------------------
-
-	0.6.1.rc1 released
-
 2005-08-04  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* configure.ac: correctly quote RACOON_PATH_LIBS arguments
@@ -157,10 +475,6 @@
 	* src/racoon/isakmp_inf.c: First fix to
 	info_recv_initialcontact(): do a basic IP check when no NAT-T.
 
-2005-07-28  Emmanuel Dreyfus <manu@netbsd.org>
-
-	* src/racoon/{pfkey.c|proposal.c}: IPcomp CPI size fixes
-
 2005-07-26  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/isakmp.c: Fixed purge_remote()
@@ -170,19 +484,19 @@
 	* src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
 	a new ph1handle exists (patch by Krzysztof Oledzki)
 
----------------------------------------------
-
-	0.6.1.beta3 released
-
 2005-07-20  Aidas Kasparas  <a.kasparas@gmc.lt>
 
-	* configure.ac: disabled --enable-samode-unspec for linux
+	* configure.ac: disabled --enable-samode-unspec under linux
 
 2005-07-20  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/isakmp_quick.c: Ignore NATOA payloads in
 	quick_r1recv() as it is done in quick_i2recv().
-
+	* configure.ac: new --enable-fastquit option
+	* src/racoon/session.c: new code optional code when flushing SAs,
+	which is faster and should have no deadlocks. configure
+	--enable-fastquit option to enable it.
+	
 2005-07-19  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
@@ -194,27 +508,24 @@
 
 	* src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
 	  Patrice Fournier
-	* src/setkey/setkey.c: disabled readline's filename completion.
-	  Fixed bug 1179281.
+	* src/racoon/setkey.c: disabled readline's filename completion 
+	  (bug 1179281 fix)
 	* src/racoon/proposal.c: fixed mode selection for SAs with
-	  complex_bundle on behind NAT.
+	  complex_bundle on behind NAT
 
 2005-07-14  Yvan Vanhullebus  <vanhu@free.fr>
 
-	* src/racoon/handler.c: Clears the DPD schedule in delph1()
-
----------------------------------------------
-
-	0.6.1.beta2 released
-
+	* src/racoon/handler.c: - Clears the DPD schedule in delph1()
+	                        - Cleared up sanity checks in delph1()
+	                        - Sets p->rmconf to NULL if no new
+	                          remoteconf in revalidate_ph1tree_rmconf()
+	* src/racoon/isakmp.c: Added sanity checks in script_hook()
+	* src/racoon/oakley.c: Sanity check in save_certbuf()
+
+	
 2005-07-13  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/setkey/Makefile.am: missing file in distribution
-	* src/racoon/isakmp_inf.c: build fix
-
----------------------------------------------
-
-	0.6.1.beta1 released
 
 2005-07-12  Yvan Vanhullebus  <vanhu@free.fr>
 
@@ -231,14 +542,15 @@
 	* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
 	  Add comments for using the scripts without NAT-T
 
-2005-07-04  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	* src/racoon/isakmp_inf.c: safety checks on informational messages
-
 2005-07-11  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* configure.ac: build fixes on Linux. Accomodate various libiconv 
-	  versions
+	* src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux. 
+	  Accomodate various libiconv versions
+
+2005-07-10  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/ipsec_doi.c configure.ac: build fixes on Linux. 
+	  Accomodate various libiconv versions
 
 2005-07-09  Yvan Vanhullebus  <vanhu@free.fr>
 
@@ -252,20 +564,21 @@
 	* src/racoon/raccon.conf.5: Document that aes can be used in 
 	  racoon.conf
 
-2005-07-06  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	* src/setkey/extern.h: new file (was missing in previous commit)
-
 2005-07-06  Frederic Senault  <fred@lacave.net>
 
 	* src/setkey/setkey.c: fix compilation with readline.
-	* src/racoon/oakley.c: move declarations to the top of the function
-	  to fix compilation issues with gcc 2.95.4/FreeBSD4, re-indentation
-	  and style cleanup of the pkcs7 patch.
+	* src/racoon/oakley.c: move declarations to fix compilation issues
+	  with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
+	  pkcs7 patch.
+
+2005-07-04  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp_inf.c: safety checks on informational messages
+	* src/racoon/{pfkey.c|proposal.c}: IPcomp fixes
 
 2005-07-01  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	From Uri <urimobile@optonline.net>:
+	From Uri Blumenthal <urimobile@optonline.net>:
 	* src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
 	* src/racoon/oakley.c: pkcs7 support
 
@@ -281,18 +594,17 @@
 	  src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned, 
 	  size_t/int and lint constants
 
-2005-06-29  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	From Uri <urimobile@optonline.net> and Larry Baird <lab@gta.com>:
-	* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
-	  src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
-	  src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
-
----------------------------------------------
-
-	0.6 released 
-
-2005-06-22  Emmanuel Dreyfus  <manu@netbsd.org>
+2005-06-24  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.c: Fixed phase2 enc algo check when reloading
+	  conf (could flush a phase2 handler when not needed).
+
+2005-06-19  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
+	  src/racoon/racoonctl.8:
+	  Add a logout-user command to racoonctl to kick out all SA for a
+	  given Xauth user
 
 	From Ludo Stellingwerff <ludo@protactive.nl>:
 	* src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as 
@@ -301,23 +613,33 @@
 	  on phase 2 initiation retries when the phase 2 had been queued
 	  for a phase 1.
 
----------------------------------------------
-
-	0.6rc1 released 
-
-2005-06-15  Emmanuel Dreyfus  <manu@netbsd.org>
+	From Uri Blumenthal <urimobile@optonline.net> 
+	and Larry Baird <lab@gta.com>:
+	* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
+	  src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
+	  src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
+	* src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
+	* src/setkey/token.l: Add aliases shaxxx for sha2_xxx
+
+2005-06-07  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Larry Baird <lab@gta.com>
 	* src/racoon/isakmp.c: consume NAT keepalive data  already seen
 	  with MSG_PEEK 
 
+2005-06-07  Frederic Senault  <fred@lacave.net>
+
+	* configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
+	  src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
+	  support for system accounting into the utmp files, with the
+	  "accounting system" directive.
+
+	* src/privsep.c: Bug fixes in the xauth password handling code.
+
 2005-06-06  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/racoon/isakmp_quick.c: endianness bug fix
 
-	From Frederic Senault  <fred@lacave.net>
-	* src/racoon/privsep.c: fix Xauth login with PAM authentication
-
 2005-06-05  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Thomas Klausner <wiz@netbsd.org>
@@ -329,14 +651,19 @@
 	* src/racoon/ipsec_doi.c: Inserted missing 0th element of
 	  rm_idtype2doi array. Bug #1199700 fix.
 
+2005-05-30  Frederic Senault  <fred@lacave.net>
+
+	* src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro
+	  definition.
+
+	* src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
+	  is executed at the end of the mode cfg exchange ; add a debug
+	  message at the script startup.
+
 2005-05-23  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/racoon/admin.c: build fix
 
----------------------------------------------
-
-	0.6b3 released 
-
 2005-05-20  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Mike Robinson <sundialservices@users.sourceforge.net>
@@ -348,17 +675,31 @@
 	* src/racoon/proposal.c: fix SPI size test for IPcomp
 
 	From Larry Baird <lab@gta.com>
-	* src/racoon/{handler.c|ipsec_doi.c|remoteconf.h|remoteconf.c}: When 
-	  altering lifetime, duplicate the proposal instead of modifying 
-	  the configured one.
-
-	From Frederic Senault  <fred@lacave.net>
+	* src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime, 
+	  duplicate the proposal instead of modifying the configured one.
+
+2005-05-19  Frederic Senault  <fred@lacave.net>
+
+	* configure.ac src/racoon/plog.c: Fix the logging functions to work
+	  around the lack of support of printf %zu in FreeBSD 4 (at least).
+
 	* src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
 	  fix a hangup with FreeBSD 4.
 
+	* src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
+	  unity-specific heartbeat message.
+	* src/racoon/isakmp_inf.c: Reorganize switch statement in
+	  isakmp_check_notify.
+
+2005-05-17  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.c: Fixed exchange type check in
+	  revalidate_ph1().
+	* src/racoon/pfkey.c: changed includes order to fix compilation.
+
 2005-05-14  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/libipsec/policy_parse.y: fix parse bug in IPsec policies
+	* src/libipsec/policy_parse.y: Fix parse problem
 
 2005-05-14  Aidas Kasparas  <a.kasparas@gmc.lt>
 
@@ -367,10 +708,7 @@
 
 2005-05-13  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
-	  consider null port as a wildcard and use IKE port
-
-	* src/racoon/isakmp.c: Build fix
+	* src/racoon/isakmp_inf.c: fix build problem
 
 2005-05-13  Yvan Vanhullebus  <vanhu@free.fr>
 
@@ -379,37 +717,46 @@
 
 2005-05-12  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/racoon/{proposal.c|proposal.h|isakmp_quick.c}: fix build problem
-
----------------------------------------------
-
-	0.6b2 released 
-
-2005-05-10  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	* src/racoon/samples/roadwarrior/client/racoon.conf
-	  src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
-	  src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
-	  src/racoon/samples/roadwarrior/README: update config files to 
-	  higher security settings. Remove now useless phase 1 down 
-	  script on server side.
+	* src/racoon/isakmp_quick.c: fix build problem on some platforms
+
+	* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use, 
+	  consider null port as a wildcard and use IKE ports.
 
 2005-05-10  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/racoon/ipsec_doi.c: check for lifebyte in proposals
-	* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
-
-	* src/racoon/{cfparse.y|cftoken.l|racoon.conf.5|isakmp_cfg.c}
-	  src/racoon/{isakmp_cfg.h|isakmp_unity.c}: add Cisco extensions for
-	  sending PFS group and save password through ISAKMP mode config.
+	* src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
+	  src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
+	  src/racoon/samples/roadwarrior/client/racoon.conf: update config 
+	  files to higher security settings. Remove now useless phase 1 down 
+	  script on server side.
+	* Update README to reflect server/phase1-down.sh removal
+
+2005-05-09  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
+	  save password extensions from Cisco in ISAKMP mode config.
 
 2005-05-08  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* configure.ac src/racoon/isakmp_xauth.c: Support shadow passwords
+	* src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
+	  in proposals
+	* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
+	* src/racoon/handler.c: style
+
+	* src/racoon/isakmp_xauth.c: fix build with shadow passwords
 
 2005-05-07  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
+	* configure.ac src/racoon/isakmp_xauth.c: support shadow passwords
+	* src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
+	* src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
+	  src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
+	  to the right header file
+
+2005-05-06  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various 
 	  ISAKMP SA termination (for DPD timeouts and delete message) to
 	  use purge_remote() so that SA and generated SPD get correctly flushed
 	* src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
@@ -420,6 +767,24 @@
 	* src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
 	  to compare with ports when ENABLE_NATT and without otherwise
 
+2005-05-06  Frederic Senault  <fred@lacave.net>
+
+	* src/racoon/isakmp_inf.c: Only print the contents of an informative
+	  message if the payload indicates an error ; transmit the return
+	  values from the DPD functions.
+
+2005-05-06  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp_inf.c: Fix a bug causing informational message
+	  payloads to be ignored
+
+2005-05-05  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_inf.c: Fixed some potential crashes in
+	  purge_remote() and purge_ipsec_spi().
+
+2005-05-05  Emmanuel Dreyfus  <manu@netbsd.org>
+
 	* src/libipsec/{policy_parse.y|policy_token.l}
 	  src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
 	  endpoints, for accurate ESP over UDP matching
@@ -431,6 +796,11 @@
 	  use the IKE ports supplied by racoon to set up acurate endpoints
 	  ports in SP endpoints
 
+2005-05-04  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
+	  policies are now also removed when DPD purge.
+
 2005-05-04  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Manisha Malla <mmanisha@novell.com>
@@ -444,33 +814,63 @@
 
 	* configure.ac: Revert GLIBC_BUGS change from 2005-04-15
 
-2005-05-03  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	From Patrick McHardy <kaber@trash.net>
-	* src/racoon/{pfkey.c|handler.h|hendler.c}: on phase 2 acquire, 
-	  lookup phase 2 by (src, dst, policy id) so that multiple SA can 
-	  be used in transport mode
+2005-05-03  Frederic Senault  <fred@lacave.net>
+
+	* src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
+	  src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
+	  option to enable the handling of unencrypted delete payloads.
+
+	* src/racoon/plog.c: Use of isgraph in binsanitize.
+
+	* src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.
+
+	* src/racoon/isakmp_inf.c: Unused code cleanup.
 
 2005-04-26  Emmanuel Dreyfus  <manu@netbsd.org>
 
+	* bootstrap: Darwin support
+
 	From Larry Baird <lab@gta.com>
-	* src/racoon/nattraversal.c: Fix NAT-T initiator problem
+	* src/racoon/nattraversal.c: Fix NAT-T for initiator
+
+	From Andreas Tobler <toa@pop.agri.ch>:
+	* src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
+	  src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c}
+	  src/racoon/configure.ac src/libipsec/policy_token.l
+	  src/setkey/token.l: Build on Darwin
 
 2005-04-25  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}:
+	* src/racoon/handler.h: ifdef DPD and NAT-T data in data structures
+
+	* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
 	  src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
 	  enable the display of ESP over UDP ports in policies.
-	
-	* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
-	  forget port numbers so that mutiple clients behind the same NAT
-	  can work.
 
 	* src/racoon/ipsec_doi.c: fix LP64 bug
-	
+	  
+	From Ludo Stellingwerff <ludo@protactive.nl>:
+	* src/racoon/isakmp.c: build without NAT-T
+
+	From F. Senault <fred.letter@lacave.net>
+	* src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
+	  src/racoon/isakmp_xauth.c: Take into account payloads bundled after
+	  an ISAKMP informationnal message.
+
+	From Patrick McHardy <kaber@trash.net>
+	* src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
+	  message, lookup phase 2 by (src, dst, id) instead of only id.
+
+2005-04-23  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/libipsec/ipsec_dump_policy.c: display port numbers in policies 
+	* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
+	  forget port numbers so that mutiple clients behind the same NAT 
+	  can work. 
+
 	From Larry Baird <lab@gta.com>
 	* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
-	  NAT-T fixes for interoperability with greenbow VPN client.
+	NAT-T fixes for interoperability with greenbow VPN client.
 
 2005-04-21  Aidas Kasparas  <a.kasparas@gmc.lt>
 
@@ -481,8 +881,8 @@
 	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
 	  src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
 	  src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
-	  src/racoon/sockmisc.h, src/racoon/racoonctl.c: made
-	  compile with gcc-4.0 (20050410 prerelease)
+	  src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile 
+	  with gcc-4.0 (20050410 prerelease)
 
 2005-04-20  Aidas Kasparas  <a.kasparas@gmc.lt>
 
@@ -491,13 +891,7 @@
 
 2005-04-19  Yvan Vanhullebus  <vanhu@free.fr>
 
-	* src/racoon/handler.h: added a flag to identify generated policies
-	* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
-	* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
-	  policy have been generated in purge_remote_spi()
-	* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
-	  generated policies
-	* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
+	* src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.
 
 2005-04-18  Aidas Kasparas  <a.kasparas@gmc.lt>
 
@@ -505,6 +899,8 @@
 	* NEWS: noted fix
 
 2005-04-18  Emmanuel Dreyfus  <manu@netbsd.org>
+	
+	* src/racoon/isakmp_base.c: DPD support, fix memory leak
 
 	From Thomas Klausner <wiz@NetBSD.org>
 	* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
@@ -521,6 +917,32 @@
 	From KAME
 	* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
 
+	From Fred Senault <fred.letter@lacave.net>
+	* src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive, 
+	  which is now incoprated into split_net_tunnels
+	* src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
+	  src/racoon/isakmp_xauth.h: support login and password sent 
+	  in different packets during the Xauth exchange. This makes racoon
+	  interoperable with SecureComputing's sidewinder 
+	* src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth
+
+2005-04-17  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.c: Configuration reload validation code
+	* src/racoon/handler.h:revalidate_ph12() function
+	* src/racoon/ipsec_doi.c: duplicates iph1->approval in
+	  get_ph1approval(), some fields sets to NULL when needed
+	* src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
+	* src/racoon/localconf.[ch]: save/restore_params() functions
+	* src/racoon/main.c: moved restore_params functions to localconf
+	* src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
+	  function, some values set to NULL when needed
+	* src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
+	  function
+	* src/racoon/sainfo.[ch]: save_sainfotree() functions
+	* src/racoon/session.c: Reloads conf on a SIGHUP without loosing
+	  existing tunnels
+
 2005-04-15  Aidas Kasparas  <a.kasparas@gmc.lt>
 
 	From Zilvinas Valinskas <zilvinas@gemtek.lt>:
@@ -529,13 +951,85 @@
 	  - --enable-{frag|hybrid}=no fixes (patches 6,7);
 	  - support for --with-flex, --with-flexlib (patch 11);
 	  - GLIBC_BUGS assignment correction (patch 14 with mods).
+	* src/racoon/isakmp.c: fix compilation when hybrid disabled.
+
+2005-04-11  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
+	  RFC for IPsec DOI and ISAKMP
 
 2005-04-10  Emmanuel Dreyfus <manu@netbsd.org>
 
-	* src/racoon/isakmp_agg.c: fix a memory leak when using hybrid auth
-        * src/libipsec/{pfkey.c|pfkey_dump.c}
-          src/setkey/{token.l|parse.y|setkey.8}: missing bits for TCP_MD5 
-	  support, from KAME
+	* src/racoon/isakmp_base.c: resurect RSASIG support
+	* src/racoon/isakmp_ident.c: missing support for hybrid auth
+	* src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode
+
+2005-04-09  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
+	  src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c}
+	  src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}:
+	  Add Xauth + RSASIG, for client and server. Add all Xauth and 
+	  IKE fragmentation logic to base and ident mode.
+	* src/libipsec/{pfkey.c|pfkey_dump.c}
+	  src/setkey/parse.y: more missing TCP_MD5 bits from KAME
+
+2005-04-08  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/cfparse.y: a list of network can be specified for split
+	  tunnelling
+	* src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the 
+	  netmask in CIDR notation, to the hook script environement.
+	* src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing 
+	  bits for TCP_MD5 support.
+
+	From Fred Senault <fred.letter@lacave.net>
+	* src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
+	  src/racoon/racoon.conf.5: KEYID identifier can be taken from
+	  a file or from a quoted string
+
+2005-04-05  Emmanuel Dreyfus <manu@netbsd.org>
+
+	From Fred Senault <fred.letter@lacave.net>
+	* src/racoon/admin.c: fix the admin interface that was left behind
+	  after recent Xauth changes
+	* src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
+	  src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in 
+	  remote conf within a single structure.
+	* src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run 
+	  phase1-up script before ISAKMP mode config is done
+	* src/racoon/isakmp_inf.c: log a buggy condition
+	* src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
+	  src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to 
+	  distinguish between XAUTH PSK and Kerberos authentications
+	* src/racoon/{oakley.c|remoteconf.c}: set a default for certificate 
+	  requests
+	* src/racoon/isakmp_xauth.c: Fix serious security bug introduced 
+	  on 2005-03-09: Xauth validation was required for phase 2 on the 
+	  client (thus blocking phase 2), but not on the server (thus 
+	  making it open regardless of Xauth exchange). 
+	* src/racoon/vendorid.c: dump unknown VIDs
+	  
+
+2005-04-06  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/crypto_openssl.c: Disable OpenSSL padding in
+	evp_crypt(), because it may cause some interoperability problems.
+	Solution reported by Ganesan Rajagopal.
+
+2005-04-05  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/main.c: build with hybrid but without libradius
+	
+2005-04-05  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.h: added a flag to identify generated policies
+	* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
+	* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
+	  policy have been generated in purge_remote_spi()
+	* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
+	  generated policies
+	* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
 
 2005-04-04  Emmanuel Dreyfus <manu@netbsd.org>
 
@@ -545,10 +1039,6 @@
 
 	* configure.ac: Don't compile with NAT-T by default (according to 
 	  documentation, finally :-)
-	* configure.ac, rpm/suse/ipsec-tools.spec.in,
-	  rpm/suse/Makefile.am: Distribute .spec file with 
-	  resolved version string.
-	* src/racoon/Makefile.am: Allow parallel cluster build.
 
 2005-03-27  Michal Ludvig  <michal@logix.cz>
 
@@ -559,26 +1049,20 @@
 	* acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
 	  (RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
 
----------------------------------------------
-
-	0.6b1 released 
-
-2005-03-22  Emmanuel Dreyfus <manu@netbsd.org>
-
-	* src/racoon/privsep.c: fix the build without --with-libpam
-
 2005-03-16  Emmanuel Dreyfus <manu@netbsd.org>
 
-	* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
-	  src/racoon/remoteconf.c: When running in privsep mode, check that
-	  private key and script paths match those given in the path section.
+	* src/racoon/privsep.c: check for NULL path in unsafe_path()
+	* src/racoon/privsep.c: missing space
 
 2005-03-15  Emmanuel Dreyfus <manu@netbsd.org>
 
-	* src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize 
-	  RADIUS accounting at startup
-	* src/racoon/privsep.c: fix minor bug in PAM cleanup
-	* src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used
+	* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c}
+	  src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h}
+	  src/racoon/main.c: Remove most of config dependency from 
+	  privilegied instance for upcoming config reload patch.
+	* src/racoon/isakmp_cfg.h: fix the application version for Xauth
+	* src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used
 
 2005-03-14  Emmanuel Dreyfus <manu@netbsd.org>
 
@@ -591,8 +1075,28 @@
 
 2005-03-09  Emmanuel Dreyfus <manu@netbsd.org>
 
+	From Fred Senault <fred.letter@lacave.net>
+	* src/racoon/cfparse.y: endainness bugfix
+	* src/racoon/isakmp_xauth.c: off by one bugs in strings
+	* src/racoon/oakley.h: missing parenthesis causing bugs
+
+2005-03-09  Emmanuel Dreyfus <manu@netbsd.org>
+
 	* src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
 
+2005-03-07  Emmanuel Dreyfus <manu@netbsd.org>
+
+	From Fred Senault <fred.letter@lacave.net>
+	* src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
+	  src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c}
+	  src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c}
+	  src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c}
+	  src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5}
+	  src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c}
+	  src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
+	  tunnelling, multiple DNS & WINS in ISAKMP mode config.
+
 2005-03-02  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
@@ -603,34 +1107,35 @@
 	* src/racoon/oakley.c: fixed oakley_newiv2() when errors
 
 2005-02-24  Emmanuel Dreyfus <manu@netbsd.org>
-
-	* src/racoon/privsep.c: safety check port numbers given by the
+	
+	* src/racoon/privsep.c: safety check port numbers given by the 
 	  unprivilegied instance.
-	* src/libipsec/libpfkey.h: prefer __inline to inline
 	* src/racoon/racoonctl.8: display fixes in racoonctl(8)
-	* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
-	  src/racoon/racoon.conf.5: Add chroot capability
-	
+
 2005-02-23  Emmanuel Dreyfus <manu@netbsd.org>
 
 	* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
 	  support for patented algorithms: IDEA and RC5.
 	* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
 	  is not required in the configuration
-	* src/racoon/isakmp.c: do not reject addresses for which kernel
-	  refused UDP encapsulation, they can still be used for non NAT-T
+	* src/racoon/isakmp.c: do not reject addresses for which kernel 
+	  refused UDP encapsulation, they can still be used for non NAT-T 
 	  traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
+	* src/libipsec/libpfkey.h: prefer __inline to inline
+	* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
+	  src/racoon/racoon.conf.5: Add chroot capability
 
 2005-02-18  Emmanuel Dreyfus <manu@netbsd.org>
 
 	* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
 	  src/setkey/setkey.c: don't use fuzzy paths for package_version.h
 
-2005-02-18  Yvan Vanhullebus  <vanhu@free.fr>
-
-	* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
-	  related DELETE_SA
-	* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
+2005-02-18  Michal Ludvig  <michal@logix.cz>
+
+	* configure.ac, rpm/suse/ipsec-tools.spec.in,
+	  rpm/suse/Makefile.am: Distribute .spec file with 
+	  resolved version string.
+	* src/racoon/Makefile.am: Allow parallel cluster build.
 
 2005-02-17  Emmanuel Dreyfus <manu@netbsd.org>
 
@@ -641,6 +1146,12 @@
 
 	* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
 
+2005-02-16  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
+	  related DELETE_SA
+	* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
+
 2005-02-15  Michal Ludvig  <michal@logix.cz>
 
 	* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
--- a/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: glibc-bugs.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: glibc-bugs.h,v 1.4 2006/09/09 16:22:08 manu Exp $	*/
 
 #ifndef __GLIBC_BUGS_H__
 #define __GLIBC_BUGS_H__ 1
--- a/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkeyv2.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: pfkeyv2.h,v 1.4 2006/09/09 16:22:08 manu Exp $	*/
 
 #ifndef __NET_PFKEYV2_H_
 #define __NET_PFKEYV2_H_ 1
--- a/crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 #include <net/pfkeyv2.h>
 #include <linux/ipsec.h>
--- a/crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: queue.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: queue.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*
  * Copyright (c) 1991, 1993
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: ipsec_dump_policy.c,v 1.6 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: ipsec_dump_policy.c,v 1.7 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: ipsec_dump_policy.c,v 1.7.4.2 2005/06/29 13:01:27 manubsd Exp */
+/* Id: ipsec_dump_policy.c,v 1.10 2005/06/29 09:12:37 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_get_policylen.c,v 1.5 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: ipsec_get_policylen.c,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec_set_policy.3,v 1.12 2005/11/21 14:20:28 manu Exp $
+.\"	$NetBSD: ipsec_set_policy.3,v 1.13 2006/09/09 16:22:09 manu Exp $
 .\"
 .\"	$KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
 .\"
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec_strerror.3,v 1.9 2005/11/21 14:20:28 manu Exp $
+.\"	$NetBSD: ipsec_strerror.3,v 1.10 2006/09/09 16:22:09 manu Exp $
 .\"
 .\"	$KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
 .\"
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.c,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: ipsec_strerror.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: ipsec_strerror.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: ipsec_strerror.h,v 1.4 2004/06/07 09:18:46 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.6 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.7 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -46,6 +46,10 @@
 #endif
 #endif
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#endif
+
 #include <sys/types.h>
 #include <sys/param.h>
 #ifdef _KERNEL
@@ -87,6 +91,10 @@
 static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
 #endif
 
+#ifdef SADB_X_EXT_PACKET
+static void kdebug_sadb_x_packet __P((struct sadb_ext *));
+#endif
+
 #ifdef _KERNEL
 static void kdebug_secreplay __P((struct secreplay *));
 #endif
@@ -185,6 +193,11 @@
 			kdebug_sadb_address(ext);
 			break;
 #endif
+#ifdef SADB_X_EXT_PACKET
+		case SADB_X_EXT_PACKET:
+			kdebug_sadb_x_packet(ext);
+			break;
+#endif
 		default:
 			printf("kdebug_sadb: invalid ext_type %u was passed.\n",
 			    ext->sadb_ext_type);
@@ -527,6 +540,27 @@
 }
 #endif
 
+#ifdef SADB_X_EXT_PACKET
+static void
+kdebug_sadb_x_packet(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_x_packet *pkt = (struct sadb_x_packet *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_x_packet: NULL pointer was passed.\n");
+
+	printf("sadb_x_packet{ copylen=%u\n", pkt->sadb_x_packet_copylen);
+	printf("  packet=");
+	ipsec_hexdump((caddr_t)pkt + sizeof(struct sadb_x_packet),
+		      pkt->sadb_x_packet_copylen);
+	printf(" }\n");
+	return;
+}
+#endif
+
+
 #ifdef _KERNEL
 /* %%%: about SPD and SAD */
 void
--- a/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: libpfkey.h,v 1.9 2005/12/04 20:46:40 manu Exp $	*/
+/*	$NetBSD: libpfkey.h,v 1.10 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: libpfkey.h,v 1.8.2.3 2005/06/29 13:01:28 manubsd Exp */
+/* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,6 +135,10 @@
 	struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
 int pfkey_send_spdflush __P((int));
 int pfkey_send_spddump __P((int));
+#ifdef SADB_X_MIGRATE
+int pfkey_send_migrate __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+#endif
 
 int pfkey_open __P((void));
 void pfkey_close __P((int));
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.9 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.10 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -1198,6 +1198,100 @@
 	return len;
 }
 
+
+#ifdef SADB_X_MIGRATE
+/*
+ * sending SADB_X_MIGRATE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_migrate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+	if (prefs > plen || prefd > plen) {
+		__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ policylen;
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_X_MIGRATE, (u_int)len,
+	    SADB_SATYPE_UNSPEC, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
+	if (!p || p + policylen != ep) {
+		free(newmsg);
+		return -1;
+	}
+	memcpy(p, policy, policylen);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+#endif
+
+
 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
 static int
 pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
@@ -1971,7 +2065,9 @@
 #ifdef SADB_X_EXT_PACKET
 		case SADB_X_EXT_PACKET:
 #endif
-
+#ifdef SADB_X_EXT_SEC_CTX
+		case SADB_X_EXT_SEC_CTX:
+#endif
 			mhp[ext->sadb_ext_type] = (void *)ext;
 			break;
 		default:
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.12 2005/12/04 20:46:40 manu Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.13 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -245,14 +245,17 @@
 	struct sadb_ident *m_sid, *m_did;
 	struct sadb_sens *m_sens;
 #endif
+#ifdef SADB_X_EXT_SEC_CTX
+	struct sadb_x_sec_ctx *m_sec_ctx;
+#endif
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	struct sadb_x_nat_t_type *natt_type;
 	struct sadb_x_nat_t_port *natt_sport, *natt_dport;
 	struct sadb_address *natt_oa;
-	struct sockaddr *sa;
 
 	int use_natt = 0;
 #endif
+	struct sockaddr *sa;
 
 	/* check pfkey message. */
 	if (pfkey_align(m, mhp)) {
@@ -281,6 +284,9 @@
 	m_did = (void *)mhp[SADB_EXT_IDENTITY_DST];
 	m_sens = (void *)mhp[SADB_EXT_SENSITIVITY];
 #endif
+#ifdef SADB_X_EXT_SEC_CTX
+	m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+#endif
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
 	natt_sport = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
@@ -435,6 +441,19 @@
 			0 : m_lfts->sadb_lifetime_allocations));
 	}
 
+#ifdef SADB_X_EXT_SEC_CTX
+	if (m_sec_ctx != NULL) {
+		printf("\tsecurity context doi: %u\n",
+					m_sec_ctx->sadb_x_ctx_doi);
+		printf("\tsecurity context algorithm: %u\n",
+					m_sec_ctx->sadb_x_ctx_alg);
+		printf("\tsecurity context length: %u\n",
+					m_sec_ctx->sadb_x_ctx_len);
+		printf("\tsecurity context: %s\n",
+			(char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx));
+	}
+#endif
+
 	printf("\tsadb_seq=%lu pid=%lu ",
 		(u_long)m->sadb_msg_seq,
 		(u_long)m->sadb_msg_pid);
@@ -472,6 +491,9 @@
 #endif
 	struct sadb_x_policy *m_xpl;
 	struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
+#ifdef SADB_X_EXT_SEC_CTX
+	struct sadb_x_sec_ctx *m_sec_ctx;
+#endif
 	struct sockaddr *sa;
 	u_int16_t sport = 0, dport = 0;
 
@@ -494,6 +516,9 @@
 	m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT];
 	m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD];
 
+#ifdef SADB_X_EXT_SEC_CTX
+	m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+#endif
 #ifdef __linux__
 	/* *bsd indicates per-socket policies by omiting src and dst 
 	 * extensions. Linux always includes them, but we can catch it
@@ -598,6 +623,18 @@
 			(u_long)m_lfth->sadb_lifetime_usetime);
 	}
 
+#ifdef SADB_X_EXT_SEC_CTX
+	if (m_sec_ctx != NULL) {
+		printf("\tsecurity context doi: %u\n",
+					m_sec_ctx->sadb_x_ctx_doi);
+		printf("\tsecurity context algorithm: %u\n",
+					m_sec_ctx->sadb_x_ctx_alg);
+		printf("\tsecurity context length: %u\n",
+					m_sec_ctx->sadb_x_ctx_len);
+		printf("\tsecurity context: %s\n",
+			(char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx));
+	}
+#endif
 
 	printf("\tspid=%ld seq=%ld pid=%ld\n",
 		(u_long)m_xpl->sadb_x_policy_id,
--- a/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy_parse.y,v 1.8 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: policy_parse.y,v 1.9 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/policy_token.l	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_token.l	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: policy_token.l,v 1.5 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: policy_token.l,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: policy_token.l,v 1.10.4.1 2005/05/07 14:30:38 manubsd Exp */
+/* Id: policy_token.l,v 1.12 2005/05/05 12:32:18 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -55,7 +55,8 @@
 
 #include "libpfkey.h"
 
-#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__)
+#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__)  && \
+!defined(__APPLE__) && !defined(__MACH__)
 #include "y.tab.h"
 #else
 #include "policy_parse.h"
--- a/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: test-policy-priority.c,v 1.2 2005/08/20 00:57:06 manu Exp $	*/
+/*	$NetBSD: test-policy-priority.c,v 1.3 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/test-policy.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/test-policy.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: test-policy.c,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: test-policy.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: admin.c,v 1.7 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: admin.c,v 1.8 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: admin.c,v 1.17.2.4 2005/07/12 11:49:44 manubsd Exp */
+/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -58,6 +58,9 @@
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
 
 #include "var.h"
 #include "misc.h"
@@ -80,6 +83,9 @@
 #include "admin.h"
 #include "admin_var.h"
 #include "isakmp_inf.h"
+#ifdef ENABLE_HYBRID
+#include "isakmp_cfg.h"
+#endif
 #include "session.h"
 #include "gcmalloc.h"
 
@@ -193,13 +199,18 @@
 	{
 		caddr_t p;
 		int len;
-		if (sched_dump(&p, &len) == -1)
+		if (sched_dump(&p, &len) == -1) {
 			com->ac_errno = -1;
+			break;
+		}
+
 		buf = vmalloc(len);
-		if (buf == NULL)
+		if (buf == NULL) {
 			com->ac_errno = -1;
-		else
-			memcpy(buf->v, p, len);
+			break;
+		}
+
+		memcpy(buf->v, p, len);
 	}
 		break;
 
@@ -280,16 +291,10 @@
 			&((struct admin_com_indexes *)
 			    ((caddr_t)com + sizeof(*com)))->dst;
 
-		if ((loc = strdup(saddrwop2str(src))) == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "cannot allocate memory\n");
-			break;
-		}
-		if ((rem = strdup(saddrwop2str(dst))) == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "cannot allocate memory\n");
-			break;
-		}
+		loc = racoon_strdup(saddrwop2str(src));
+		rem = racoon_strdup(saddrwop2str(dst));
+		STRDUP_FATAL(loc);
+		STRDUP_FATAL(rem);
 
 		if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL, 
@@ -306,6 +311,27 @@
 		break;
 	}
 
+#ifdef ENABLE_HYBRID
+	case ADMIN_LOGOUT_USER: {
+		struct ph1handle *iph1;
+		char *user;
+		int found = 0;
+
+		if (com->ac_len > sizeof(com) + LOGINLEN + 1) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "malformed message (login too long)\n");
+			break;
+		}
+
+		user = (char *)(com + 1);
+		found = purgeph1bylogin(user);
+		plog(LLV_INFO, LOCATION, NULL, 
+		    "deleted %d SA for user \"%s\"\n", found, user);
+
+		break;
+	}
+#endif
+
 	case ADMIN_DELETE_ALL_SA_DST: {
 		struct ph1handle *iph1;
 		struct sockaddr *dst;
@@ -315,21 +341,15 @@
 			&((struct admin_com_indexes *)
 			    ((caddr_t)com + sizeof(*com)))->dst;
 
-		if ((rem = strdup(saddrwop2str(dst))) == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "cannot allocate memory\n");
-			break;
-		}
+		rem = racoon_strdup(saddrwop2str(dst));
+		STRDUP_FATAL(rem);
 
 		plog(LLV_INFO, LOCATION, NULL, 
 		    "Flushing all SAs for peer %s\n", rem);
 
 		while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
-			if ((loc = strdup(saddrwop2str(iph1->local))) == NULL) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "cannot allocate memory\n");
-				break;
-			}
+			loc = racoon_strdup(saddrwop2str(iph1->local));
+			STRDUP_FATAL(loc);
 
 			if (iph1->status == PHASE1ST_ESTABLISHED)
 				isakmp_info_send_d1(iph1);
@@ -453,21 +473,27 @@
 				break;
 			}
 
+#ifdef ENABLE_HYBRID
 			/* Set the id and key */
 			if (id && key) {
-				if (rmconf->idv != NULL) {
-					vfree(rmconf->idv);
-					rmconf->idv = NULL;
-				}
-				if (rmconf->key != NULL) {
-					vfree(rmconf->key);
-					rmconf->key = NULL;
+				if (xauth_rmconf_used(&rmconf->xauth) == -1) {
+					com->ac_errno = -1;
+					break;
 				}
 
-				rmconf->idvtype = idtype;
-				rmconf->idv = id;
-				rmconf->key = key;
+				if (rmconf->xauth->login != NULL) {
+					vfree(rmconf->xauth->login);
+					rmconf->xauth->login = NULL;
+				}
+				if (rmconf->xauth->pass != NULL) {
+					vfree(rmconf->xauth->pass);
+					rmconf->xauth->pass = NULL;
+				}
+
+				rmconf->xauth->login = id;
+				rmconf->xauth->pass = key;
 			}
+#endif
  
 			plog(LLV_INFO, LOCATION, NULL,
 				"accept a request to establish IKE-SA: "
@@ -636,3 +662,4 @@
 	return 0;
 }
 #endif
+
--- a/crypto/dist/ipsec-tools/src/racoon/admin.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: admin.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: admin.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: admin.h,v 1.10 2004/12/30 13:45:49 manubsd Exp */
+/* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -78,6 +78,11 @@
 #define ADMIN_ESTABLISH_SA_PSK	0x0203
 
 /*
+ * user login follows
+ */
+#define ADMIN_LOGOUT_USER	0x0205  /* Delete SA for a given Xauth user */
+
+/*
  * Range 0x08xx is reserved for privilege separation, see privsep.h 
  */
 
--- a/crypto/dist/ipsec-tools/src/racoon/admin_var.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin_var.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin_var.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: admin_var.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: admin_var.h,v 1.7 2004/12/30 00:08:30 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/algorithm.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/algorithm.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: algorithm.c,v 1.5 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: algorithm.c,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: algorithm.c,v 1.11.4.1 2005/06/28 22:38:02 manubsd Exp */
+/* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -215,22 +215,46 @@
 { "lzs",	algtype_lzs,		IPSECDOI_IPCOMP_LZS, },
 };
 
+/*
+ * In case of asymetric modes (hybrid xauth), what's racoon mode of
+ * operations ; it seems that the proposal should always use the
+ * initiator half (unless a server initiates a connection, which is
+ * not handled, and probably not useful).
+ */
 static struct misc_algorithm oakley_authdef[] = {
-{ "pre_shared_key",	algtype_psk,		OAKLEY_ATTR_AUTH_METHOD_PSKEY, },
-{ "dsssig",	algtype_dsssig,		OAKLEY_ATTR_AUTH_METHOD_DSSSIG, },
-{ "rsasig",	algtype_rsasig,		OAKLEY_ATTR_AUTH_METHOD_RSASIG, },
-{ "rsaenc",	algtype_rsaenc,		OAKLEY_ATTR_AUTH_METHOD_RSAENC, },
-{ "rsarev",	algtype_rsarev,		OAKLEY_ATTR_AUTH_METHOD_RSAREV, },
-{ "gssapi_krb",	algtype_gssapikrb,	OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, },
+{ "pre_shared_key",	algtype_psk,	OAKLEY_ATTR_AUTH_METHOD_PSKEY, },
+{ "dsssig",		algtype_dsssig,	OAKLEY_ATTR_AUTH_METHOD_DSSSIG, },
+{ "rsasig",		algtype_rsasig,	OAKLEY_ATTR_AUTH_METHOD_RSASIG, },
+{ "rsaenc",		algtype_rsaenc,	OAKLEY_ATTR_AUTH_METHOD_RSAENC, },
+{ "rsarev",		algtype_rsarev,	OAKLEY_ATTR_AUTH_METHOD_RSAREV, },
+
+{ "gssapi_krb",		algtype_gssapikrb,
+    OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, },
+
 #ifdef ENABLE_HYBRID
-{ "hybrid_rsa_server",        algtype_hybrid_rsa_s,
-	OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I, },
-{ "hybrid_dss_server",        algtype_hybrid_dss_s,
-	OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I, },
-{ "hybrid_rsa_client",        algtype_hybrid_rsa_c,
-	OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, },
-{ "hybrid_dss_client",        algtype_hybrid_dss_c,
-	OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, },
+{ "hybrid_rsa_server",	algtype_hybrid_rsa_s,	
+    OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, },
+
+{ "hybrid_dss_server",	algtype_hybrid_dss_s,	
+    OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, },
+
+{ "xauth_psk_server", 	algtype_xauth_psk_s,	
+    OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R, },
+
+{ "xauth_rsa_server", 	algtype_xauth_rsa_s,	
+    OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R, },
+
+{ "hybrid_rsa_client",	algtype_hybrid_rsa_c,	
+    OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I, },
+
+{ "hybrid_dss_client",	algtype_hybrid_dss_c,	
+    OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I, },
+
+{ "xauth_psk_client",	algtype_xauth_psk_c,	
+    OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I, },
+
+{ "xauth_rsa_client",	algtype_xauth_rsa_c,	
+    OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I, },
 #endif
 };
 
@@ -396,7 +420,7 @@
 
 #ifdef ENABLE_STATS
 	gettimeofday(&end, NULL);
-	syslog(LOG_NOTICE, "%s(%s size=%d): %8.6f", __func__,
+	syslog(LOG_NOTICE, "%s(%s size=%zu): %8.6f", __func__,
 		f->name, buf->l, timedelta(&start, &end));
 #endif
 
@@ -508,7 +532,7 @@
 
 #ifdef ENABLE_STATS
 	gettimeofday(&end, NULL);
-	syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__,
+	syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__,
 		f->name, key->l << 3, buf->l, timedelta(&start, &end));
 #endif
 	return res;
@@ -537,7 +561,7 @@
 
 #ifdef ENABLE_STATS
 	gettimeofday(&end, NULL);
-	syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__,
+	syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__,
 		f->name, key->l << 3, buf->l, timedelta(&start, &end));
 #endif
 	return res;
--- a/crypto/dist/ipsec-tools/src/racoon/algorithm.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/algorithm.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: algorithm.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: algorithm.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: algorithm.h,v 1.8 2004/11/18 15:14:44 ludvigm Exp */
+/* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -118,6 +118,10 @@
 	algtype_hybrid_dss_s,
 	algtype_hybrid_rsa_c,
 	algtype_hybrid_dss_c,
+	algtype_xauth_psk_s,
+	algtype_xauth_psk_c,
+	algtype_xauth_rsa_s,
+	algtype_xauth_rsa_c,
 #endif
 };
 
--- a/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.c,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: backupsa.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $	*/
 
@@ -176,9 +176,9 @@
 
 	k = val2str(keymat, e_keylen + a_keylen);
 	l = snprintf(p, len, " %s", k);
+	racoon_free(k);
 	if (l < 0 || l >= len)
 		goto err;
-	racoon_free(k);
 	p += l;
 	len -= l;
 	if (len < 0)
--- a/crypto/dist/ipsec-tools/src/racoon/backupsa.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/backupsa.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: backupsa.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: backupsa.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: cfparse.y,v 1.12 2006/03/19 08:00:19 christos Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.13 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: cfparse.y,v 1.37.2.6 2005/10/17 16:23:50 monas Exp */
+/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
 %{
 /*
@@ -83,6 +83,8 @@
 #include "handler.h"
 #include "isakmp.h"
 #ifdef ENABLE_HYBRID
+#include "resolv.h"
+#include "isakmp_unity.h"
 #include "isakmp_xauth.h"
 #include "isakmp_cfg.h"
 #endif
@@ -149,6 +151,7 @@
 static int tmpalgtype[MAXALGCLASS];
 static struct sainfo *cur_sainfo;
 static int cur_algclass;
+static int oldloglevel = LLV_BASE;
 
 static struct proposalspec *newprspec __P((void));
 static void insprspec __P((struct proposalspec *, struct proposalspec **));
@@ -192,11 +195,16 @@
 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
+	/* ldap config */
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* modecfg */
-%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4
-%token CFG_AUTH_SOURCE CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LOCAL CFG_NONE
-%token CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
+%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
+%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
+%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
+%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
+
 	/* timer */
 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
@@ -209,18 +217,19 @@
 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
 %token VERIFY_CERT SEND_CERT SEND_CR
-%token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
+%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 
+%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
 %token DNSSEC CERT_X509 CERT_PLAINRSA
 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
 %token NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
-%token GENERATE_POLICY SUPPORT_PROXY
+%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
 %token PROPOSAL
 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
 %token COMPLEX_BUNDLE
 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
-%token XAUTH_LOGIN
+%token XAUTH_LOGIN WEAK_PHASE1_CHECK
 
 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH
@@ -228,21 +237,21 @@
 %token SCRIPT PHASE1_UP PHASE1_DOWN
 
 %token NUMBER SWITCH BOOLEAN
-%token HEXSTRING QUOTEDSTRING ADDRSTRING
+%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
 %token EOS BOC EOC COMMA
 
 %type <num> NUMBER BOOLEAN SWITCH keylength
-%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV GSS_ID_ENCTYPE
+%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE 
 %type <num> ALGORITHM_CLASS dh_group_num
 %type <num> ALGORITHMTYPE STRENGTHTYPE
 %type <num> PREFIX prefix PORT port ike_port
 %type <num> ul_proto UL_PROTO
 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
-%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL
+%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
 %type <num> unittype_time unittype_byte
-%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
+%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
 %type <val> identifierstring
 %type <saddr> remote_index ike_addrinfo_port
 %type <alg> algorithm
@@ -262,6 +271,7 @@
 	|	logging_statement
 	|	padding_statement
 	|	listen_statement
+	|	ldapcfg_statement
 	|	modecfg_statement
 	|	timer_statement
 	|	sainfo_statement
@@ -283,7 +293,7 @@
 			struct passwd *pw;
 
 			if ((pw = getpwnam($2->v)) == NULL) {
-				yyerror("unkown user \"%s\"", $2->v);
+				yyerror("unknown user \"%s\"", $2->v);
 				return -1;
 			}
 			lcconf->uid = pw->pw_uid;
@@ -295,7 +305,7 @@
 			struct group *gr;
 
 			if ((gr = getgrnam($2->v)) == NULL) {
-				yyerror("unkown group \"%s\"", $2->v);
+				yyerror("unknown group \"%s\"", $2->v);
 				return -1;
 			}
 			lcconf->gid = gr->gr_gid;
@@ -319,7 +329,8 @@
 				racoon_free(lcconf->pathinfo[$2]);
 
 			/* set new pathinfo */
-			lcconf->pathinfo[$2] = strdup($3->v);
+			lcconf->pathinfo[$2] = racoon_strdup($3->v);
+			STRDUP_FATAL(lcconf->pathinfo[$2]);
 			vfree($3);
 		}
 		EOS
@@ -356,7 +367,7 @@
 		}
 	;
 
-	/* self infomation */
+	/* self information */
 identifier_statement
 	:	IDENTIFIER identifier_stmt
 	;
@@ -397,11 +408,12 @@
 	|	LOGLEV
 		{
 			/*
-			 * set the loglevel by configuration file only when
-			 * the command line did not specify any loglevel.
+			 * set the loglevel to the value specified
+			 * in the configuration file plus the number
+			 * of -d options specified on the command line
 			 */
-			if (loglevel <= LLV_BASE)
-				loglevel += $1;
+			loglevel += $1 - oldloglevel;
+			oldloglevel = $1;
 		}
 	;
 
@@ -494,6 +506,155 @@
 	:	/* nothing */	{ $$ = PORT_ISAKMP; }
 	|	PORT		{ $$ = $1; }
 	;
+
+	/* ldap configuration */
+ldapcfg_statement
+	:	LDAPCFG {
+#ifndef ENABLE_HYBRID
+			yyerror("racoon not configured with --enable-hybrid");
+			return -1;
+#endif
+#ifndef HAVE_LIBLDAP
+			yyerror("racoon not configured with --with-libldap");
+			return -1;
+#endif
+		} BOC ldapcfg_stmts EOC
+	;
+ldapcfg_stmts
+	:	/* nothing */
+	|	ldapcfg_stmts ldapcfg_stmt
+	;
+ldapcfg_stmt
+	:	LDAP_PVER NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (($2<2)||($2>3))
+				yyerror("invalid ldap protocol version (2|3)");
+			xauth_ldap_config.pver = $2;
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_HOST QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.host != NULL)
+				vfree(xauth_ldap_config.host);
+			xauth_ldap_config.host = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_PORT NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.port = $2;
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_BASE QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.base != NULL)
+				vfree(xauth_ldap_config.base);
+			xauth_ldap_config.base = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_SUBTREE SWITCH
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.subtree = $2;
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_BIND_DN QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.bind_dn != NULL)
+				vfree(xauth_ldap_config.bind_dn);
+			xauth_ldap_config.bind_dn = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_BIND_PW QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.bind_pw != NULL)
+				vfree(xauth_ldap_config.bind_pw);
+			xauth_ldap_config.bind_pw = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_ATTR_USER QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_user != NULL)
+				vfree(xauth_ldap_config.attr_user);
+			xauth_ldap_config.attr_user = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_ATTR_ADDR QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_addr != NULL)
+				vfree(xauth_ldap_config.attr_addr);
+			xauth_ldap_config.attr_addr = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_ATTR_MASK QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_mask != NULL)
+				vfree(xauth_ldap_config.attr_mask);
+			xauth_ldap_config.attr_mask = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_ATTR_GROUP QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_group != NULL)
+				vfree(xauth_ldap_config.attr_group);
+			xauth_ldap_config.attr_group = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_ATTR_MEMBER QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_member != NULL)
+				vfree(xauth_ldap_config.attr_member);
+			xauth_ldap_config.attr_member = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	;
+
 	/* modecfg */
 modecfg_statement
 	:	MODECFG BOC modecfg_stmts EOC
@@ -506,9 +667,9 @@
 	:	CFG_NET4 ADDRSTRING
 		{
 #ifdef ENABLE_HYBRID
-		 if (inet_pton(AF_INET, $2->v,
-		     &isakmp_cfg_config.network4) != 1)
-			yyerror("bad IPv4 network address.");
+			if (inet_pton(AF_INET, $2->v,
+			     &isakmp_cfg_config.network4) != 1)
+				yyerror("bad IPv4 network address.");
 #else
 			yyerror("racoon not configured with --enable-hybrid");
 #endif
@@ -525,23 +686,42 @@
 #endif
 		}
 		EOS
-	|	CFG_DNS4 ADDRSTRING
+	|	CFG_DNS4 addrdnslist
+		EOS
+	|	CFG_NBNS4 addrwinslist
+		EOS
+	|	CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
 		{
 #ifdef ENABLE_HYBRID
-			if (inet_pton(AF_INET, $2->v,
-			    &isakmp_cfg_config.dns4) != 1)
-				yyerror("bad IPv4 DNS address.");
+			isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
 #else
 			yyerror("racoon not configured with --enable-hybrid");
 #endif
 		}
 		EOS
-	|	CFG_NBNS4 ADDRSTRING
+	|	CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
 		{
 #ifdef ENABLE_HYBRID
-			if (inet_pton(AF_INET, $2->v,
-			    &isakmp_cfg_config.nbns4) != 1)
-				yyerror("bad IPv4 WINS address.");
+			isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+		EOS
+	|	CFG_SPLIT_DNS splitdnslist
+		{
+#ifndef ENABLE_HYBRID
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+		EOS
+	|	CFG_DEFAULT_DOMAIN QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+			strncpy(&isakmp_cfg_config.default_domain[0], 
+			    $2->v, MAXPATHLEN);
+			isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
+			vfree($2);
 #else
 			yyerror("racoon not configured with --enable-hybrid");
 #endif
@@ -582,6 +762,48 @@
 #endif /* ENABLE_HYBRID */
 		}
 		EOS
+	|	CFG_AUTH_SOURCE CFG_LDAP
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
+#else /* HAVE_LIBLDAP */
+			yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+			yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+		}
+		EOS
+	|	CFG_AUTH_GROUPS authgrouplist
+		{
+#ifndef ENABLE_HYBRID
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+		EOS
+	|	CFG_GROUP_SOURCE CFG_SYSTEM
+		{
+#ifdef ENABLE_HYBRID
+			isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+		EOS
+	|	CFG_GROUP_SOURCE CFG_LDAP
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
+#else /* HAVE_LIBLDAP */
+			yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+			yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+		}
+		EOS
 	|	CFG_ACCOUNTING CFG_NONE
 		{
 #ifdef ENABLE_HYBRID
@@ -591,6 +813,15 @@
 #endif
 		}
 		EOS
+	|	CFG_ACCOUNTING CFG_SYSTEM
+		{
+#ifdef ENABLE_HYBRID
+			isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+		EOS
 	|	CFG_ACCOUNTING CFG_RADIUS
 		{
 #ifdef ENABLE_HYBRID
@@ -620,15 +851,8 @@
 	|	CFG_POOL_SIZE NUMBER
 		{
 #ifdef ENABLE_HYBRID
-			size_t len;
-
-			isakmp_cfg_config.pool_size = $2;
-
-			len = $2 * sizeof(*isakmp_cfg_config.port_pool);
-			isakmp_cfg_config.port_pool = racoon_malloc(len);
-			if (isakmp_cfg_config.port_pool == NULL)
+			if (isakmp_cfg_resize_pool($2) != 0)
 				yyerror("cannot allocate memory for pool");
-			bzero(isakmp_cfg_config.port_pool, len);
 #else /* ENABLE_HYBRID */
 			yyerror("racoon not configured with --enable-hybrid");
 #endif /* ENABLE_HYBRID */
@@ -683,6 +907,19 @@
 #endif /* ENABLE_HYBRID */
 		}
 		EOS
+	|	CFG_CONF_SOURCE CFG_LDAP
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
+#else /* HAVE_LIBLDAP */
+			yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+			yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+		}
+		EOS
 	|	CFG_MOTD QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID
@@ -696,6 +933,144 @@
 		EOS
 	;
 
+addrdnslist
+	:	addrdns
+	|	addrdns COMMA addrdnslist
+	;
+addrdns
+	:	ADDRSTRING
+		{
+#ifdef ENABLE_HYBRID
+			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+			if (icc->dns4_index > MAXNS)
+				yyerror("No more than %d DNS", MAXNS);
+			if (inet_pton(AF_INET, $1->v,
+			    &icc->dns4[icc->dns4_index++]) != 1)
+				yyerror("bad IPv4 DNS address.");
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+	;
+
+addrwinslist
+	:	addrwins
+	|	addrwins COMMA addrwinslist
+	;
+addrwins
+	:	ADDRSTRING
+		{
+#ifdef ENABLE_HYBRID
+			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+			if (icc->nbns4_index > MAXWINS)
+				yyerror("No more than %d WINS", MAXWINS);
+			if (inet_pton(AF_INET, $1->v,
+			    &icc->nbns4[icc->nbns4_index++]) != 1)
+				yyerror("bad IPv4 WINS address.");
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+	;
+
+splitnetlist
+	:	splitnet
+	|	splitnetlist COMMA splitnet
+	;
+splitnet
+	:	ADDRSTRING PREFIX
+		{
+#ifdef ENABLE_HYBRID
+			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+			struct unity_network network;
+
+			if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
+				yyerror("bad IPv4 SPLIT address.");
+
+			/* Turn $2 (the prefix) into a subnet mask */
+			network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
+
+			/* add the network to our list */ 
+			if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
+				yyerror("Unable to allocate split network");
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+	;
+
+authgrouplist
+	:	authgroup
+	|	authgroup COMMA authgrouplist
+	;
+authgroup
+	:	QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+			char * groupname = NULL;
+			char ** grouplist = NULL;
+			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+			grouplist = racoon_realloc(icc->grouplist,
+					sizeof(char**)*(icc->groupcount+1));
+			if (grouplist == NULL)
+				yyerror("unable to allocate auth group list");
+
+			groupname = racoon_malloc($1->l+1);
+			if (groupname == NULL)
+				yyerror("unable to allocate auth group name");
+
+			memcpy(groupname,$1->v,$1->l);
+			groupname[$1->l]=0;
+			grouplist[icc->groupcount]=groupname;
+			icc->grouplist = grouplist;
+			icc->groupcount++;
+
+			vfree($1);
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+	;
+
+splitdnslist
+	:	splitdns
+	|	splitdns COMMA splitdnslist
+	;
+splitdns
+	:	QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+			if (!icc->splitdns_len)
+			{
+				icc->splitdns_list = racoon_malloc($1->l);
+				if(icc->splitdns_list == NULL)
+					yyerror("error allocating splitdns list buffer");
+				memcpy(icc->splitdns_list,$1->v,$1->l);
+				icc->splitdns_len = $1->l;
+			}
+			else
+			{
+				int len = icc->splitdns_len + $1->l + 1;
+				icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
+				if(icc->splitdns_list == NULL)
+					yyerror("error allocating splitdns list buffer");
+				icc->splitdns_list[icc->splitdns_len] = ',';
+				memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
+				icc->splitdns_len = len;
+			}
+			vfree($1);
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+#endif
+		}
+	;
+
+
 	/* timer */
 timer_statement
 	:	RETRY BOC timer_stmts EOC
@@ -751,7 +1126,7 @@
 				return -1;
 			}
 		}
-		sainfo_name sainfo_peer BOC sainfo_specs
+		sainfo_name sainfo_param BOC sainfo_specs
 		{
 			struct sainfo *check;
 
@@ -791,6 +1166,16 @@
 			cur_sainfo->idsrc = NULL;
 			cur_sainfo->iddst = NULL;
 		}
+	|	ANONYMOUS sainfo_id
+		{
+			cur_sainfo->idsrc = NULL;
+			cur_sainfo->iddst = $2;
+		}
+	|	sainfo_id ANONYMOUS
+		{
+			cur_sainfo->idsrc = $1;
+			cur_sainfo->iddst = NULL;
+		}
 	|	sainfo_id sainfo_id
 		{
 			cur_sainfo->idsrc = $1;
@@ -851,6 +1236,71 @@
 			if ($$ == NULL)
 				return -1;
 		}
+	|	IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
+		{
+			char portbuf[10];
+			struct sockaddr *laddr = NULL, *haddr = NULL;
+			char *cur = NULL;
+
+			if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
+			 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
+				yyerror("port number must be \"any\".");
+				return -1;
+			}
+
+			snprintf(portbuf, sizeof(portbuf), "%lu", $5);
+			
+			laddr = str2saddr($2->v, portbuf);
+			if (laddr == NULL) {
+			    return -1;
+			}
+			vfree($2);
+			haddr = str2saddr($3->v, portbuf);
+			if (haddr == NULL) {
+			    racoon_free(laddr);
+			    return -1;
+			}
+			vfree($3);
+
+			switch (laddr->sa_family) {
+			case AF_INET:
+				if ($6 == IPPROTO_ICMPV6) {
+				    yyerror("upper layer protocol mismatched.\n");
+				    if (laddr)
+					racoon_free(laddr);
+				    if (haddr)
+					racoon_free(haddr);
+				    return -1;
+				}
+                                $$ = ipsecdoi_sockrange2id(laddr, haddr, 
+							   $6);
+				break;
+#ifdef INET6
+			case AF_INET6:
+				if ($6 == IPPROTO_ICMP) {
+					yyerror("upper layer protocol mismatched.\n");
+					if (laddr)
+					    racoon_free(laddr);
+					if (haddr)
+					    racoon_free(haddr);
+					return -1;
+				}
+				$$ = ipsecdoi_sockrange2id(laddr, haddr, 
+							       $6);
+				break;
+#endif
+			default:
+				yyerror("invalid family: %d", laddr->sa_family);
+				$$ = NULL;
+				break;
+			}
+			if (laddr)
+			    racoon_free(laddr);
+			if (haddr)
+			    racoon_free(haddr);
+			if ($$ == NULL)
+				return -1;
+		}
 	|	IDENTIFIERTYPE QUOTEDSTRING
 		{
 			struct ipsecdoi_id_b *id_b;
@@ -878,12 +1328,11 @@
 			memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
 		}
 	;
-sainfo_peer
+sainfo_param
 	:	/* nothing */
 		{
 			cur_sainfo->id_i = NULL;
 		}
-
 	|	FROM IDENTIFIERTYPE identifierstring
 		{
 			struct ipsecdoi_id_b *id_b;
@@ -909,6 +1358,18 @@
 			       idv->v, idv->l);
 			vfree(idv);
 		}
+	|	GROUP QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+			if ((cur_sainfo->group = vdup($2)) == NULL) {
+				yyerror("failed to set sainfo xauth group.\n");
+				return -1;
+			}
+#else
+			yyerror("racoon not configured with --enable-hybrid");
+			return -1;
+#endif
+ 		}
 	;
 sainfo_specs
 	:	/* nothing */
@@ -1058,11 +1519,9 @@
 			new->prhead = NULL;
 			cur_rmconf = new;
 
-			if (!cur_rmconf->inherited_from 
-			    || !cur_rmconf->inherited_from->proposal)
-				return -1;
 			prspec = newprspec();
-			if (prspec == NULL)
+			if (prspec == NULL || !cur_rmconf->inherited_from 
+				|| !cur_rmconf->inherited_from->proposal)
 				return -1;
 			prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
 			prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
@@ -1197,7 +1656,11 @@
 			yywarn("This directive without certtype will be removed!\n");
 			yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
 			cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
-			cur_rmconf->peerscertfile = strdup($2->v);
+
+			if (cur_rmconf->peerscertfile != NULL)
+				racoon_free(cur_rmconf->peerscertfile);
+			cur_rmconf->peerscertfile = racoon_strdup($2->v);
+			STRDUP_FATAL(cur_rmconf->peerscertfile);
 			vfree($2);
 		}
 		EOS
@@ -1205,14 +1668,20 @@
 		{
 			cur_rmconf->cacerttype = $2;
 			cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
-			cur_rmconf->cacertfile = strdup($3->v);
+			if (cur_rmconf->cacertfile != NULL)
+				racoon_free(cur_rmconf->cacertfile);
+			cur_rmconf->cacertfile = racoon_strdup($3->v);
+			STRDUP_FATAL(cur_rmconf->cacertfile);
 			vfree($3);
 		}
 		EOS
 	|	PEERS_CERTFILE CERT_X509 QUOTEDSTRING
 		{
 			cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
-			cur_rmconf->peerscertfile = strdup($3->v);
+			if (cur_rmconf->peerscertfile != NULL)
+				racoon_free(cur_rmconf->peerscertfile);
+			cur_rmconf->peerscertfile = racoon_strdup($3->v);
+			STRDUP_FATAL(cur_rmconf->peerscertfile);
 			vfree($3);
 		}
 		EOS
@@ -1261,16 +1730,27 @@
 			cur_rmconf->idvtype = $2;
 		}
 		EOS
+	|	MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
+		{
+			if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
+				yyerror("failed to set identifer.\n");
+				return -1;
+			}
+			cur_rmconf->idvtype = $2;
+		}
+		EOS
 	|	XAUTH_LOGIN identifierstring
 		{
 #ifdef ENABLE_HYBRID
 			/* formerly identifier type login */
-			cur_rmconf->idvtype = IDTYPE_LOGIN;
-			if (set_identifier(&cur_rmconf->idv, IDTYPE_LOGIN, $2) != 0) {
+			if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
+				yyerror("failed to allocate xauth state\n");
+				return -1;
+			}
+			if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
 				yyerror("failed to set identifer.\n");
 				return -1;
 			}
-			/* cur_rmconf->use_xauth = 1; */
 #else
 			yyerror("racoon not configured with --enable-hybrid");
 #endif
@@ -1293,6 +1773,23 @@
 			genlist_append (cur_rmconf->idvl_p, id);
 		}
 		EOS
+	|	PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
+		{
+			struct idspec  *id;
+			id = newidspec();
+			if (id == NULL) {
+				yyerror("failed to allocate idspec");
+				return -1;
+			}
+			if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
+				yyerror("failed to set identifer.\n");
+				racoon_free(id);
+				return -1;
+			}
+			id->idtype = $2;
+			genlist_append (cur_rmconf->idvl_p, id);
+		}
+		EOS
 	|	VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
 	|	NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
 	|	DH_GROUP
@@ -1311,15 +1808,25 @@
 #endif
 		} EOS
 	|	SCRIPT QUOTEDSTRING PHASE1_UP { 
+			if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
+				vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
+
 			cur_rmconf->script[SCRIPT_PHASE1_UP] = 
 			    script_path_add(vdup($2));
 		} EOS
 	|	SCRIPT QUOTEDSTRING PHASE1_DOWN { 
+			if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
+				vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
+
 			cur_rmconf->script[SCRIPT_PHASE1_DOWN] = 
 			    script_path_add(vdup($2));
 		} EOS
 	|	MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
+	|	WEAK_PHASE1_CHECK SWITCH {
+			cur_rmconf->weak_phase1_check = $2;
+		} EOS
 	|	GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
+	|	GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
 	|	SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
 	|	INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
 	|	NAT_TRAVERSAL SWITCH
@@ -1432,9 +1939,15 @@
 	:	CERT_X509 QUOTEDSTRING QUOTEDSTRING
 		{
 			cur_rmconf->certtype = $1;
-			cur_rmconf->mycertfile = strdup($2->v);
+			if (cur_rmconf->mycertfile != NULL)
+				racoon_free(cur_rmconf->mycertfile);
+			cur_rmconf->mycertfile = racoon_strdup($2->v);
+			STRDUP_FATAL(cur_rmconf->mycertfile);
 			vfree($2);
-			cur_rmconf->myprivfile = strdup($3->v);
+			if (cur_rmconf->myprivfile != NULL)
+				racoon_free(cur_rmconf->myprivfile);
+			cur_rmconf->myprivfile = racoon_strdup($3->v);
+			STRDUP_FATAL(cur_rmconf->myprivfile);
 			vfree($3);
 		}
 		EOS
@@ -1521,7 +2034,11 @@
 				yyerror("wrong Vendor ID for gssapi_id");
 				return -1;
 			}
-			cur_rmconf->prhead->spspec->gssid = strdup($2->v);
+			if (cur_rmconf->prhead->spspec->gssid != NULL)
+				racoon_free(cur_rmconf->prhead->spspec->gssid);
+			cur_rmconf->prhead->spspec->gssid = 
+			    racoon_strdup($2->v);
+			STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
 		}
 		EOS
 	|	ALGORITHM_CLASS ALGORITHMTYPE keylength
@@ -1868,7 +2385,10 @@
 #ifdef HAVE_GSSAPI
 	if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
 		if (gssid != NULL) {
-			new->gssid = vmalloc(strlen(gssid));
+			if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
+				yyerror("failed to allocate gssid");
+				return -1;
+			}
 			memcpy(new->gssid->v, gssid, new->gssid->l);
 			racoon_free(gssid);
 		} else {
@@ -1936,8 +2456,12 @@
 
 	yycf_init_buffer();
 
-	if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
+	if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "could not read configuration file \"%s\"\n", 
+		    lcconf->racoon_conf);
 		return -1;
+	}
 
 	error = yyparse();
 	if (error != 0) {
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse_proto.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: cfparse_proto.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: cfparse_proto.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: cftoken.l,v 1.6 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.7 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: cftoken.l,v 1.31.2.7 2005/11/06 17:18:26 monas Exp */
+/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
 %{
 /*
@@ -74,6 +74,7 @@
 #include "ipsec_doi.h"
 #include "proposal.h"
 #include "nattraversal.h"
+#include "remoteconf.h"
 #ifdef GC
 #include "gcmalloc.h"
 #endif
@@ -124,6 +125,7 @@
 ecl		\}
 blcl		\[
 elcl		\]
+hyphen          \-
 percent		\%
 semi		\;
 comment		\#.*
@@ -134,7 +136,7 @@
 decstring	{digit}+
 hexstring	0x{hexdigit}+
 
-%s S_INI S_PRIV S_PTH S_INF S_LOG S_PAD S_LST S_RTRY S_CFG
+%s S_INI S_PRIV S_PTH S_INF S_LOG S_PAD S_LST S_RTRY S_CFG S_LDAP
 %s S_ALGST S_ALGCL
 %s S_SAINF S_SAINFS
 %s S_RMT S_RMTS S_RMTP
@@ -165,7 +167,7 @@
 				return(PATHTYPE); }
 <S_PTH>certificate	{ YYD; yylval.num = LC_PATHTYPE_CERT;
 				return(PATHTYPE); }
-<S_PTH>script 		{ YYD; yylval.num = LC_PATHTYPE_SCRIPT;
+<S_PTH>script		{ YYD; yylval.num = LC_PATHTYPE_SCRIPT;
 				return(PATHTYPE); }
 <S_PTH>backupsa		{ YYD; yylval.num = LC_PATHTYPE_BACKUPSA;
 				return(PATHTYPE); }
@@ -185,12 +187,14 @@
 
 	/* logging */
 <S_INI>log		{ BEGIN S_LOG; YYDB; return(LOGGING); }
-<S_LOG>info		{ YYD; yywarn("it is obsoleted.  use \"notify\""); yylval.num = 0; return(LOGLEV); }
-<S_LOG>notify		{ YYD; yylval.num = 0; return(LOGLEV); }
-<S_LOG>debug		{ YYD; yylval.num = 1; return(LOGLEV); }
-<S_LOG>debug2		{ YYD; yylval.num = 2; return(LOGLEV); }
-<S_LOG>debug3		{ YYD; yywarn("it is osboleted.  use \"debug2\""); yylval.num = 2; return(LOGLEV); }
-<S_LOG>debug4		{ YYD; yywarn("it is obsoleted.  use \"debug2\""); yylval.num = 2; return(LOGLEV); }
+<S_LOG>error		{ YYD; yylval.num = LLV_ERROR; return(LOGLEV); }
+<S_LOG>warning		{ YYD; yylval.num = LLV_WARNING; return(LOGLEV); }
+<S_LOG>notify		{ YYD; yylval.num = LLV_NOTIFY; return(LOGLEV); }
+<S_LOG>info		{ YYD; yylval.num = LLV_INFO; return(LOGLEV); }
+<S_LOG>debug		{ YYD; yylval.num = LLV_DEBUG; return(LOGLEV); }
+<S_LOG>debug2		{ YYD; yylval.num = LLV_DEBUG2; return(LOGLEV); }
+<S_LOG>debug3		{ YYD; yywarn("it is obsoleted.  use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
+<S_LOG>debug4		{ YYD; yywarn("it is obsoleted.  use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
 <S_LOG>{semi}		{ BEGIN S_INI; return(EOS); }
 
 	/* padding */
@@ -214,6 +218,23 @@
 <S_LST>strict_address	{ YYD; return(STRICT_ADDRESS); }
 <S_LST>{ecl}		{ BEGIN S_INI; return(EOC); }
 
+	/* ldap config */
+<S_INI>ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
+<S_LDAP>{bcl}		{ return(BOC); }
+<S_LDAP>version		{ YYD; return(LDAP_PVER); }
+<S_LDAP>host		{ YYD; return(LDAP_HOST); }
+<S_LDAP>port		{ YYD; return(LDAP_PORT); }
+<S_LDAP>base		{ YYD; return(LDAP_BASE); }
+<S_LDAP>subtree		{ YYD; return(LDAP_SUBTREE); }
+<S_LDAP>bind_dn		{ YYD; return(LDAP_BIND_DN); }
+<S_LDAP>bind_pw		{ YYD; return(LDAP_BIND_PW); }
+<S_LDAP>attr_user	{ YYD; return(LDAP_ATTR_USER); }
+<S_LDAP>attr_addr	{ YYD; return(LDAP_ATTR_ADDR); }
+<S_LDAP>attr_mask	{ YYD; return(LDAP_ATTR_MASK); }
+<S_LDAP>attr_group	{ YYD; return(LDAP_ATTR_GROUP); }
+<S_LDAP>attr_member	{ YYD; return(LDAP_ATTR_MEMBER); }
+<S_LDAP>{ecl}		{ BEGIN S_INI; return(EOC); }
+
 	/* mode_cfg */
 <S_INI>mode_cfg		{ BEGIN S_CFG; YYDB; return(MODECFG); }
 <S_CFG>{bcl}		{ return(BOC); }
@@ -221,7 +242,10 @@
 <S_CFG>netmask4		{ YYD; return(CFG_MASK4); }
 <S_CFG>dns4		{ YYD; return(CFG_DNS4); }
 <S_CFG>wins4		{ YYD; return(CFG_NBNS4); }
+<S_CFG>default_domain	{ YYD; return(CFG_DEFAULT_DOMAIN); }
 <S_CFG>auth_source	{ YYD; return(CFG_AUTH_SOURCE); }
+<S_CFG>auth_groups	{ YYD; return(CFG_AUTH_GROUPS); }
+<S_CFG>group_source	{ YYD; return(CFG_GROUP_SOURCE); }
 <S_CFG>conf_source	{ YYD; return(CFG_CONF_SOURCE); }
 <S_CFG>accounting	{ YYD; return(CFG_ACCOUNTING); }
 <S_CFG>system		{ YYD; return(CFG_SYSTEM); }
@@ -229,11 +253,17 @@
 <S_CFG>none		{ YYD; return(CFG_NONE); }
 <S_CFG>radius		{ YYD; return(CFG_RADIUS); }
 <S_CFG>pam		{ YYD; return(CFG_PAM); }
+<S_CFG>ldap		{ YYD; return(CFG_LDAP); }
 <S_CFG>pool_size	{ YYD; return(CFG_POOL_SIZE); }
 <S_CFG>banner		{ YYD; return(CFG_MOTD); }
 <S_CFG>auth_throttle	{ YYD; return(CFG_AUTH_THROTTLE); }
+<S_CFG>split_network	{ YYD; return(CFG_SPLIT_NETWORK); }
+<S_CFG>local_lan	{ YYD; return(CFG_SPLIT_LOCAL); }
+<S_CFG>include		{ YYD; return(CFG_SPLIT_INCLUDE); }
+<S_CFG>split_dns	{ YYD; return(CFG_SPLIT_DNS); }
 <S_CFG>pfs_group	{ YYD; return(CFG_PFS_GROUP); }
 <S_CFG>save_passwd	{ YYD; return(CFG_SAVE_PASSWD); }
+<S_CFG>{comma}		{ YYD; return(COMMA); }
 <S_CFG>{ecl}		{ BEGIN S_INI; return(EOC); }
 
 	/* timer */
@@ -253,6 +283,7 @@
 <S_SAINF>{blcl}any{elcl}	{ YYD; return(PORTANY); }
 <S_SAINF>any		{ YYD; return(ANY); }
 <S_SAINF>from		{ YYD; return(FROM); }
+<S_SAINF>group		{ YYD; return(GROUP); }
 	/* sainfo spec */
 <S_SAINF>{bcl}		{ BEGIN S_SAINFS; return(BOC); }
 <S_SAINF>{semi}		{ BEGIN S_INI; return(EOS); }
@@ -303,6 +334,8 @@
 <S_RMTS>dh_group	{ YYD; return(DH_GROUP); }
 <S_RMTS>nonce_size	{ YYD; return(NONCE_SIZE); }
 <S_RMTS>generate_policy	{ YYD; return(GENERATE_POLICY); }
+<S_RMTS>unique		{ YYD; yylval.num = GENERATE_POLICY_UNIQUE; return(GENERATE_LEVEL); }
+<S_RMTS>require		{ YYD; yylval.num = GENERATE_POLICY_REQUIRE; return(GENERATE_LEVEL); }
 <S_RMTS>support_mip6	{ YYD; yywarn("it is obsoleted.  use \"support_proxy\"."); return(SUPPORT_PROXY); }
 <S_RMTS>support_proxy	{ YYD; return(SUPPORT_PROXY); }
 <S_RMTS>initial_contact	{ YYD; return(INITIAL_CONTACT); }
@@ -328,6 +361,7 @@
 <S_RMTS>phase1_up	{ YYD; return(PHASE1_UP); }
 <S_RMTS>phase1_down	{ YYD; return(PHASE1_DOWN); }
 <S_RMTS>mode_cfg	{ YYD; return(MODE_CFG); }
+<S_RMTS>weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); }
 	/* remote proposal */
 <S_RMTS>proposal	{ BEGIN S_RMTP; YYDB; return(PROPOSAL); }
 <S_RMTP>{bcl}		{ return(BOC); }
@@ -373,6 +407,19 @@
 			return(PORT);
 		}
 
+	/* address range */
+{hyphen}{addrstring} {
+                        YYD;
+                        yytext++;
+			yylval.val = vmalloc(yyleng + 1);
+			if (yylval.val == NULL) {
+				yyerror("vmalloc failed");
+				return -1;
+			}
+			memcpy(yylval.val->v, yytext, yylval.val->l);
+                        return(ADDRRANGE);
+                } 
+
 	/* upper protocol */
 esp		{ YYD; yylval.num = IPPROTO_ESP; return(UL_PROTO); }
 ah		{ YYD; yylval.num = IPPROTO_AH; return(UL_PROTO); }
@@ -465,6 +512,34 @@
 	yyerror("racoon not configured with --enable-hybrid");
 #endif
 }
+xauth_psk_server {
+#ifdef ENABLE_HYBRID
+	YYD; yylval.num = algtype_xauth_psk_s; return(ALGORITHMTYPE);
+#else
+	yyerror("racoon not configured with --enable-hybrid");
+#endif
+}
+xauth_psk_client {
+#ifdef ENABLE_HYBRID
+	YYD; yylval.num = algtype_xauth_psk_c; return(ALGORITHMTYPE);
+#else
+	yyerror("racoon not configured with --enable-hybrid");
+#endif
+}
+xauth_rsa_server {
+#ifdef ENABLE_HYBRID
+	YYD; yylval.num = algtype_xauth_rsa_s; return(ALGORITHMTYPE);
+#else
+	yyerror("racoon not configured with --enable-hybrid");
+#endif
+}
+xauth_rsa_client {
+#ifdef ENABLE_HYBRID
+	YYD; yylval.num = algtype_xauth_rsa_c; return(ALGORITHMTYPE);
+#else
+	yyerror("racoon not configured with --enable-hybrid");
+#endif
+}
 
 
 	/* identifier type */
@@ -477,6 +552,10 @@
 asn1dn		{ YYD; yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
 certname	{ YYD; yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
 
+	/* identifier qualifier */
+tag		{ YYD; yylval.num = IDQUAL_TAG;  return(IDENTIFIERQUAL); }
+file		{ YYD; yylval.num = IDQUAL_FILE; return(IDENTIFIERQUAL); }
+
 	/* units */
 B|byte|bytes		{ YYD; return(UNITTYPE_BYTE); }
 KB			{ YYD; return(UNITTYPE_KBYTES); }
@@ -637,7 +716,7 @@
 	if (glob(path, GLOB_TILDE, NULL, &incstack[incstackp].matches) != 0 ||
 	    incstack[incstackp].matches.gl_pathc == 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
-			"glob found no matches for path");
+			"glob found no matches for path \"%s\"\n", path);
 		return -1;
 	}
 	incstack[incstackp].matchon = 0;
@@ -679,7 +758,10 @@
 
 	/* initialize */
 	incstack[incstackp].fp = yyin;
-	incstack[incstackp].path = strdup(path);
+	if (incstack[incstackp].path != NULL)
+		racoon_free(incstack[incstackp].path);
+	incstack[incstackp].path = racoon_strdup(path);
+	STRDUP_FATAL(incstack[incstackp].path);
 	incstack[incstackp].lineno = 1;
 	plog(LLV_DEBUG, LOCATION, NULL,
 		"reading config file %s\n", path);
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken_proto.h,v 1.3 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: cftoken_proto.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: cftoken_proto.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: crypto_openssl.c,v 1.7 2005/11/26 02:32:58 christos Exp $	*/
-
-/* Id: crypto_openssl.c,v 1.40.4.5 2005/07/12 11:50:15 manubsd Exp */
+/*	$NetBSD: crypto_openssl.c,v 1.8 2006/09/09 16:22:09 manu Exp $	*/
+
+/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -80,18 +80,11 @@
 #include "crypto/rijndael/rijndael-api-fst.h"
 #endif
 #ifdef WITH_SHA2
-#ifdef notdef
 #ifdef HAVE_OPENSSL_SHA2_H
 #include <openssl/sha2.h>
 #else
 #include "crypto/sha2/sha2.h"
 #endif
-#else
-#define SHA384_CTX SHA512_CTX
-#define EVP_sha2_256 EVP_sha256
-#define EVP_sha2_384 EVP_sha384
-#define EVP_sha2_512 EVP_sha512
-#endif
 #endif
 
 /* 0.9.7 stuff? */
@@ -601,37 +594,36 @@
 	u_char *bp;
 	vchar_t *name = NULL;
 	int len;
-	int error = -1;
 
 	bp = (unsigned char *) cert->v;
 
 	x509 = mem2x509(cert);
 	if (x509 == NULL)
-		goto end;
+		goto error;
 
 	/* get the length of the name */
 	len = i2d_X509_NAME(x509->cert_info->subject, NULL);
 	name = vmalloc(len);
 	if (!name)
-		goto end;
+		goto error;
 	/* get the name */
 	bp = (unsigned char *) name->v;
 	len = i2d_X509_NAME(x509->cert_info->subject, &bp);
 
-	error = 0;
-
-   end:
-	if (error) {
-		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-		if (name) {
-			vfree(name);
-			name = NULL;
-		}
-	}
-	if (x509)
-		X509_free(x509);
+	X509_free(x509);
 
 	return name;
+
+error:
+	plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
+
+	if (name != NULL) 
+		vfree(name);
+
+	if (x509 != NULL)
+		X509_free(x509);
+
+	return NULL;
 }
 
 /*
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: crypto_openssl.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/debug.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/debug.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: debug.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: debug.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: debug.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: debugrm.c,v 1.2 2005/08/20 00:57:06 manu Exp $	*/
+/*	$NetBSD: debugrm.c,v 1.3 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $	*/
 
@@ -206,6 +206,25 @@
 	free(ptr);
 }
 
+char *
+DRM_strdup(file, line, func, str)
+	char *file, *func;
+	int line;
+	const char *str;
+{
+	char *p;
+
+	p = strdup(str);
+
+	if (p) {
+		char buf[1024];
+		DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
+		DRM_add(p, buf);
+	}
+
+	return p;
+}
+
 /*
  * mask vmbuf.c functions.
  */
--- a/crypto/dist/ipsec-tools/src/racoon/debugrm.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/debugrm.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: debugrm.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: debugrm.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: debugrm.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
+/* Id: debugrm.h,v 1.4 2006/04/06 14:00:06 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -49,6 +49,9 @@
 #ifndef racoon_free
 #define	racoon_free(p)		free((p))
 #endif
+#ifndef racoon_strdup
+#define	racoon_strdup(p)	strdup((p))
+#endif
 #else /*!NONEED_DRM*/
 #ifndef racoon_malloc
 #define	racoon_malloc(sz)	\
@@ -66,6 +69,10 @@
 #define	racoon_free(p)		\
 	DRM_free(__FILE__, __LINE__, __func__, (p))
 #endif
+#ifndef racoon_strdup
+#define	racoon_strdup(p)	\
+	DRM_strdup(__FILE__, __LINE__, __func__, (p))
+#endif
 #endif /*NONEED_DRM*/
 
 extern void DRM_init __P((void));
@@ -74,6 +81,7 @@
 extern void *DRM_calloc __P((char *, int, char *, size_t, size_t));
 extern void *DRM_realloc __P((char *, int, char *, void *, size_t));
 extern void DRM_free __P((char *, int, char *, void *));
+extern char *DRM_strdup __P((char *, int, char *, const char *));
 
 #ifndef NONEED_DRM
 #define	vmalloc(sz)	\
--- a/crypto/dist/ipsec-tools/src/racoon/dhgroup.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dhgroup.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dhgroup.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: dhgroup.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: dhgroup.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/dnssec.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dnssec.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec.c,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: dnssec.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $	*/
 
@@ -96,7 +96,7 @@
 			"inpropper ID type passed %s "
 			"though getcert method is dnssec.\n",
 			s_ipsecdoi_ident(id_b->type));
-		return NULL;
+		goto err;
 	}
 
 	/* check response */
@@ -145,7 +145,10 @@
 err:
 	if (name)
 		racoon_free(name);
-	if (cert)
+	if (cert) {
 		oakley_delcert(cert);
+		cert = NULL;
+	}
+
 	goto end;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/dnssec.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dnssec.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: dnssec.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: dnssec.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/dump.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dump.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dump.c,v 1.2 2005/08/20 00:57:06 manu Exp $	*/
+/*	$NetBSD: dump.c,v 1.3 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: dump.c,v 1.3 2000/09/23 15:31:05 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/dump.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dump.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dump.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: dump.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: dump.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/eaytest.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/eaytest.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: eaytest.c,v 1.5 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: eaytest.c,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: eaytest.c,v 1.20.4.2 2005/06/28 22:38:02 manubsd Exp */
+/* Id: eaytest.c,v 1.22 2005/06/19 18:02:54 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/racoon/evt.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/evt.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: evt.c,v 1.4 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: evt.c,v 1.5 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: evt.c,v 1.2.4.1 2005/09/26 17:49:38 manubsd Exp */
+/* Id: evt.c,v 1.5 2006/06/22 20:11:35 manubsd Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
@@ -45,10 +45,11 @@
 #include "vmbuf.h"
 #include "plog.h"
 #include "misc.h"
+#include "admin.h"
 #include "gcmalloc.h"
 #include "evt.h"
 
-
+#ifdef ENABLE_ADMINPORT
 struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist);
 int evtlist_len = 0;
 
@@ -63,6 +64,10 @@
 	struct evt *evt;
 	size_t len;
 
+	/* If admin socket is disabled, silently discard anything */
+	if (adminsock_path == NULL)
+		return;
+
 	/* If we are above the limit, don't record anything */
 	if (evtlist_len > EVTLIST_MAX) {
 		plog(LLV_DEBUG, LOCATION, NULL, 
@@ -149,3 +154,5 @@
 
 	return buf;
 }
+
+#endif /* ENABLE_ADMINPORT */
--- a/crypto/dist/ipsec-tools/src/racoon/evt.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/evt.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: evt.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: evt.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: evt.h,v 1.3 2004/11/29 23:30:39 manubsd Exp */
+/* Id: evt.h,v 1.5 2006/01/19 10:24:09 fredsen Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
@@ -61,6 +61,8 @@
 #define EVTT_XAUTH_FAILED	11
 #define EVTT_OVERFLOW		12	/* Event queue overflowed */
 #define EVTT_PEERPH1AUTH_FAILED	13
+#define EVTT_PEERPH1_NOPROP	14	/* NO_PROPOSAL_CHOSEN & friends */
+#define EVTT_NO_ISAKMP_CFG	15	/* no need to wait for mode_cfg */
 
 struct evt {
 	struct evtdump *dump;
--- a/crypto/dist/ipsec-tools/src/racoon/gcmalloc.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gcmalloc.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gcmalloc.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: gcmalloc.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: gcmalloc.h,v 1.4 2001/11/16 04:34:57 sakane Exp $	*/
 
@@ -79,12 +79,20 @@
 
 	GC_FREE(ptr);
 }
+
+char *
+strdup(const char *str)
+{
+
+	return (GC_STRDUP(str));
+}
 #endif /* RACOON_MAIN_PROGRAM */
 
 #define	racoon_malloc(sz)	GC_debug_malloc(sz, GC_EXTRAS)
 #define	racoon_calloc(cnt, sz)	GC_debug_malloc(cnt * sz, GC_EXTRAS)
 #define	racoon_realloc(old, sz)	GC_debug_realloc(old, sz, GC_EXTRAS)
 #define	racoon_free(p)		GC_debug_free(p)
+#define	racoon_strdup(str)	GC_debug_strdup(str)
 
 #endif /* GC */
 
@@ -111,6 +119,9 @@
 #ifndef racoon_free
 #define	racoon_free(p)		free((p))
 #endif
+#ifndef racoon_strdup
+#define	racoon_strdup(s)	strdup((s))
+#endif
 #endif /* DEBUG_RECORD_MALLOCATION */
 
 #endif /* _GCMALLOC_H_DEFINED */
--- a/crypto/dist/ipsec-tools/src/racoon/genlist.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/genlist.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: genlist.c,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: genlist.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: genlist.c,v 1.2 2004/07/12 20:43:50 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/genlist.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/genlist.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: genlist.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: genlist.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: genlist.h,v 1.2 2004/07/12 20:43:50 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: getcertsbyname.c,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: getcertsbyname.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: getcertsbyname.c,v 1.7 2001/11/16 04:12:59 sakane Exp $	*/
 
@@ -39,6 +39,9 @@
 
 #include <netinet/in.h>
 #include <arpa/nameser.h>
+#if (defined(__APPLE__) && defined(__MACH__))
+# include <nameser8_compat.h>
+#endif
 #include <resolv.h>
 #ifdef HAVE_LWRES_GETRRSETBYNAME
 #include <lwres/netdb.h>
--- a/crypto/dist/ipsec-tools/src/racoon/gnuc.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gnuc.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gnuc.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: gnuc.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: gnuc.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: grabmyaddr.c,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: grabmyaddr.c,v 1.23.4.2 2005/07/16 04:41:01 monas Exp */
+/* Id: grabmyaddr.c,v 1.27 2006/04/06 16:27:05 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -42,7 +42,8 @@
 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 #include <net/if_var.h>
 #endif
-#if defined(__NetBSD__) || defined(__FreeBSD__)
+#if defined(__NetBSD__) || defined(__FreeBSD__) ||	\
+  (defined(__APPLE__) && defined(__MACH__))
 #include <netinet/in.h>
 #include <netinet6/in6_var.h>
 #endif
@@ -804,6 +805,12 @@
 	/* Copy the whole structure and set the differences.  */
 	memcpy (new, old, sizeof (*new));
 	new->addr = dupsaddr (old->addr);
+	if (new->addr == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to allocate buffer for myaddrs.\n");
+		racoon_free(new);
+		return NULL;
+	}
 	new->next = old->next;
 	old->next = new;
 
--- a/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: grabmyaddr.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: grabmyaddr.h,v 1.5 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -155,6 +155,7 @@
 {
 	char name[NI_MAXHOST];
 	struct sockaddr *sa;
+	char* buf = NULL;
 	gss_buffer_desc name_token;
 	OM_uint32 min_stat, maj_stat;
 
@@ -163,8 +164,9 @@
 	if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
 		return -1;
 
-	name_token.length = asprintf((char **)&name_token.value,
-	    "%s@%s", GSSAPI_DEF_NAME, name);  
+	name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name);
+	name_token.value = buf;
+
 	maj_stat = gss_import_name(&min_stat, &name_token,
 	    GSS_C_NT_HOSTBASED_SERVICE, service);
 	if (GSS_ERROR(maj_stat)) {
@@ -290,7 +292,7 @@
 	if (iph1->approval != NULL && iph1->approval->gssid != NULL) {
 		plog(LLV_DEBUG, LOCATION, NULL,
 		    "using provided service '%.*s'\n",
-		    iph1->approval->gssid->l, iph1->approval->gssid->v);
+		    (int)iph1->approval->gssid->l, iph1->approval->gssid->v);
 		name_token.length = iph1->approval->gssid->l;
 		name_token.value = iph1->approval->gssid->v;
 		maj_stat = gss_import_name(&min_stat, &name_token,
@@ -468,7 +470,7 @@
 	*tokens = toks;
 
 	plog(LLV_DEBUG, LOCATION, NULL,
-		"%d itokens of length %d\n", gps->gsscnt, (*tokens)->l);
+		"%d itokens of length %zu\n", gps->gsscnt, (*tokens)->l);
 
 	return 0;
 }
@@ -549,7 +551,7 @@
 		return NULL;
 	}
 
-	plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %d olen %d\n",
+	plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %zu olen %zu\n",
 	    hash_in->length, hash_out->length);
 
 	maj_stat = gss_release_buffer(&min_stat, hash_in);
@@ -591,7 +593,7 @@
 	hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash);
 	hashbuf.value = (char *)(iph1->pl_hash + 1);
 
-	plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %d\n",
+	plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %zu\n",
 	    hashbuf.length);
 
 	maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out,
--- a/crypto/dist/ipsec-tools/src/racoon/gssapi.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gssapi.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: gssapi.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: gssapi.h,v 1.5 2005/02/11 06:59:01 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/handler.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: handler.c,v 1.7 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: handler.c,v 1.8 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: handler.c,v 1.13.4.4 2005/07/14 12:00:36 vanhu Exp */
+/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -50,6 +50,10 @@
 #include "sockmisc.h"
 #include "debug.h"
 
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
+
 #include "schedule.h"
 #include "grabmyaddr.h"
 #include "algorithm.h"
@@ -71,6 +75,8 @@
 #include "gcmalloc.h"
 #include "nattraversal.h"
 
+#include "sainfo.h"
+
 #ifdef HAVE_GSSAPI
 #include "gssapi.h"
 #endif
@@ -110,6 +116,7 @@
 	return NULL;
 }
 
+
 /*
  * search for isakmp handler by i_ck in index.
  */
@@ -261,9 +268,11 @@
 delph1(iph1)
 	struct ph1handle *iph1;
 {
+	if (iph1 == NULL)
+		return;
+
 	/* SA down shell script hook */
-	if (iph1 != NULL)
-		script_hook(iph1, SCRIPT_PHASE1_DOWN);
+	script_hook(iph1, SCRIPT_PHASE1_DOWN);
 
 	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
 
@@ -277,6 +286,11 @@
 	}
 #endif
 
+#ifdef ENABLE_HYBRID
+	if (iph1->mode_cfg)
+		isakmp_cfg_rmstate(iph1);
+#endif
+
 #ifdef ENABLE_DPD
 	if (iph1->dpd_r_u != NULL)
 		SCHED_KILL(iph1->dpd_r_u);
@@ -290,17 +304,11 @@
 		racoon_free(iph1->local);
 		iph1->local = NULL;
 	}
-
 	if (iph1->approval) {
 		delisakmpsa(iph1->approval);
 		iph1->approval = NULL;
 	}
 
-#ifdef ENABLE_HYBRID
-	if (iph1->mode_cfg)
-		isakmp_cfg_rmstate(iph1);
-#endif
-
 	VPTRINIT(iph1->authstr);
 
 	sched_scrub_param(iph1);
@@ -334,6 +342,9 @@
 	VPTRINIT(iph1->id);
 	VPTRINIT(iph1->id_p);
 
+	if(iph1->approval != NULL)
+		delisakmpsa(iph1->approval);
+
 	if (iph1->ivm) {
 		oakley_delivm(iph1->ivm);
 		iph1->ivm = NULL;
@@ -774,6 +785,12 @@
 		return -1;
 
 	new->remote = dupsaddr(remote);
+	if (new->remote == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to allocate buffer.\n");
+		racoon_free(new);
+		return -1;
+	}
 
 	LIST_INSERT_HEAD(&ctdtree, new, chain);
 
@@ -1013,3 +1030,480 @@
 	return 1;
 }
 #endif
+
+
+
+/* 
+ * Reload conf code
+ */
+static int revalidate_ph2(struct ph2handle *iph2){
+	struct sainfoalg *alg;
+	int found, check_level;
+	struct sainfo *sainfo;
+	struct saprop *approval;
+
+	/* 
+	 * Get the new sainfo using values of the old one
+	 */
+	if (iph2->sainfo != NULL) {
+		iph2->sainfo = getsainfo(iph2->sainfo->idsrc, 
+		    iph2->sainfo->iddst, iph2->sainfo->id_i);
+	}
+	approval = iph2->approval;
+	sainfo = iph2->sainfo;
+
+	if (sainfo == NULL) {
+		/* 
+		 * Sainfo has been removed
+		 */
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: No sainfo for ph2\n");
+		return 0;
+	}
+
+	if (approval == NULL) {
+		/*
+		 * XXX why do we have a NULL approval sometimes ???
+		 */
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "No approval found !\n");
+		return 0;
+	}	
+
+	/*
+	 * Don't care about proposals, should we do something ?
+	 * We have to keep iph2->proposal valid at least for initiator,
+	 * for pk_sendgetspi()
+	 */
+
+	plog(LLV_DEBUG, LOCATION, NULL, "active single bundle:\n");
+	printsaprop0(LLV_DEBUG, approval);
+
+	/*
+	 * Validate approval against sainfo
+	 * Note: we must have an updated ph1->rmconf before doing that,
+	 * we'll set check_level to EXACT if we don't have a ph1
+	 * XXX try tu find the new remote section to get the new check level ?
+	 * XXX lifebyte
+	 */
+	if (iph2->ph1 != NULL && iph2->ph1->rmconf != NULL) {
+		check_level = iph2->ph1->rmconf->pcheck_level;
+	} else {
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "No phase1 rmconf found !\n");
+		check_level = PROP_CHECK_EXACT;
+	}
+
+	switch (check_level) {
+	case PROP_CHECK_OBEY:
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: OBEY for ph2, ok\n");
+		return 1;
+		break;
+
+	case PROP_CHECK_STRICT:
+		/* FALLTHROUGH */
+	case PROP_CHECK_CLAIM:
+		if (sainfo->lifetime < approval->lifetime) {
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: lifetime mismatch\n");
+			return 0;
+		}
+
+		if (sainfo->lifebyte < approval->lifebyte) {
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: lifebyte mismatch\n");
+			return 0;
+		}
+
+		if (sainfo->pfs_group &&
+		   sainfo->pfs_group != approval->pfs_group) {
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: PFS group mismatch\n");
+			return 0;
+		}
+		break;
+
+	case PROP_CHECK_EXACT:
+		if (sainfo->lifetime != approval->lifetime ||
+		    sainfo->lifebyte != approval->lifebyte ||
+		    sainfo->pfs_group != iph2->approval->pfs_group) {
+			plog(LLV_DEBUG, LOCATION, NULL,
+			    "Reload: lifetime | pfs mismatch\n");
+			return 0;
+		}
+		break;
+
+	default:
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: Shouldn't be here !\n");
+		return 0;
+		break;
+	}
+
+	for (alg = sainfo->algs[algclass_ipsec_auth]; alg; alg = alg->next) {
+		if (alg->alg == approval->head->head->authtype)
+			break;
+	}
+	if (alg == NULL) {
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: alg == NULL (auth)\n");
+		return 0;
+	}
+
+	found = 0;
+	for (alg = sainfo->algs[algclass_ipsec_enc]; 
+	    (found == 0 && alg != NULL); alg = alg->next) {
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: next ph2 enc alg...\n");
+
+		if (alg->alg != approval->head->head->trns_id){
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: encmode mismatch (%d / %d)\n",
+				 alg->alg, approval->head->head->trns_id);
+			continue;
+		}
+
+		switch (check_level){
+		/* PROP_CHECK_STRICT cannot happen here */
+		case PROP_CHECK_EXACT:
+			if (alg->encklen != approval->head->head->encklen) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: enclen mismatch\n");
+				continue;
+			}
+			break;
+
+		case PROP_CHECK_CLAIM:
+			/* FALLTHROUGH */
+		case PROP_CHECK_STRICT:
+			if (alg->encklen > approval->head->head->encklen) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: enclen mismatch\n");
+				continue;
+			}
+			break;
+
+		default:
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "unexpected check_level\n");
+			continue;
+			break;
+		}
+		found = 1;
+	}
+
+	if (!found){
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: No valid enc\n");
+		return 0;
+	}
+
+	/*
+	 * XXX comp
+	 */
+	plog(LLV_DEBUG, LOCATION, NULL,
+		 "Reload: ph2 check ok\n");
+
+	return 1;
+}
+
+
+static void 
+remove_ph2(struct ph2handle *iph2)
+{
+	u_int32_t spis[2];
+
+	if(iph2 == NULL)
+		return;
+
+	plog(LLV_DEBUG, LOCATION, NULL,
+		 "Deleting a Ph2...\n");
+
+	if (iph2->status == PHASE2ST_ESTABLISHED)
+		isakmp_info_send_d2(iph2);
+
+	if(iph2->approval != NULL && iph2->approval->head != NULL){
+		spis[0]=iph2->approval->head->spi;
+		spis[1]=iph2->approval->head->spi_p;
+
+		/* purge_ipsec_spi() will do all the work:
+		 * - delete SPIs in kernel
+		 * - delete generated SPD
+		 * - unbind / rem / del ph2
+		 */
+		purge_ipsec_spi(iph2->dst, iph2->approval->head->proto_id,
+						spis, 2);
+	}else{
+		unbindph12(iph2);
+		remph2(iph2);
+		delph2(iph2);
+	}
+}
+
+static void remove_ph1(struct ph1handle *iph1){
+	struct ph2handle *iph2, *iph2_next;
+
+	if(iph1 == NULL)
+		return;
+
+	plog(LLV_DEBUG, LOCATION, NULL,
+		 "Removing PH1...\n");
+
+	if (iph1->status == PHASE1ST_ESTABLISHED){
+		for (iph2 = LIST_FIRST(&iph1->ph2tree); iph2; iph2 = iph2_next) {
+			iph2_next = LIST_NEXT(iph2, chain);
+			remove_ph2(iph2);
+		}
+		isakmp_info_send_d1(iph1);
+	}
+	iph1->status = PHASE1ST_EXPIRED;
+	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
+}
+
+
+static int revalidate_ph1tree_rmconf(void){
+	struct ph1handle *p, *next;
+	struct remoteconf *newrmconf;
+
+	for (p = LIST_FIRST(&ph1tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
+
+		if (p->status == PHASE1ST_EXPIRED)
+			continue;
+
+		newrmconf=getrmconf(p->remote);
+		if(newrmconf == NULL){
+			p->rmconf = NULL;
+			remove_ph1(p);
+		}else{
+			/* Do not free old rmconf, it is just a pointer to an entry in rmtree
+			 */
+			p->rmconf=newrmconf;
+			if(p->approval != NULL){
+				struct isakmpsa *tmpsa;
+
+				tmpsa=dupisakmpsa(p->approval);
+				if(tmpsa != NULL){
+					delisakmpsa(p->approval);
+					p->approval=tmpsa;
+					p->approval->rmconf=newrmconf;
+				}
+			}
+		}
+	}
+
+	return 1;
+}
+
+
+/* rmconf is already updated here
+ */
+static int revalidate_ph1(struct ph1handle *iph1){
+	struct isakmpsa *p, *approval;
+	struct etypes *e;
+
+	if(iph1 == NULL ||
+	   iph1->approval == NULL ||
+		iph1->rmconf == NULL)
+		return 0;
+
+	approval=iph1->approval;
+
+	for (e = iph1->rmconf->etypes; e != NULL; e = e->next){
+		if (iph1->etype == e->type)
+			break;
+	}
+
+	if (e == NULL){
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: Exchange type mismatch\n");
+		return 0;
+	}
+
+	if (iph1->etype == ISAKMP_ETYPE_AGG &&
+	   approval->dh_group != iph1->rmconf->dh_group){
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: DH mismatch\n");
+		return 0;
+	}
+
+	for (p=iph1->rmconf->proposal; p != NULL; p=p->next){
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "Reload: Trying next proposal...\n");
+
+		if(approval->authmethod != p->authmethod){
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: Authmethod mismatch\n");
+			continue;
+		}
+
+		if(approval->enctype != p->enctype){
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: enctype mismatch\n");
+			continue;
+		}
+
+		switch (iph1->rmconf->pcheck_level) {
+		case PROP_CHECK_OBEY:
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: OBEY pcheck level, ok...\n");
+			return 1;
+			break;
+
+		case PROP_CHECK_CLAIM:
+			/* FALLTHROUGH */
+		case PROP_CHECK_STRICT:
+			if (approval->encklen < p->encklen) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: encklen mismatch\n");
+				continue;
+			}
+
+			if (approval->lifetime > p->lifetime) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: lifetime mismatch\n");
+				continue;
+			}
+
+			if (approval->lifebyte > p->lifebyte) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: lifebyte mismatch\n");
+				continue;
+			}
+			break;
+
+		case PROP_CHECK_EXACT:
+			if (approval->encklen != p->encklen) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: encklen mismatch\n");
+				continue;
+			}
+
+			if (approval->lifetime != p->lifetime) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: lifetime mismatch\n");
+				continue;
+			}
+
+			if (approval->lifebyte != p->lifebyte) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "Reload: lifebyte mismatch\n");
+				continue;
+			}
+			break;
+
+		default:
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "unexpected check_level\n");
+			continue;
+			break;
+		}
+
+		if (approval->hashtype != p->hashtype) {
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: hashtype mismatch\n");
+			continue;
+		}
+
+		if (iph1->etype != ISAKMP_ETYPE_AGG &&
+		    approval->dh_group != p->dh_group) {
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "Reload: dhgroup mismatch\n");
+			continue;
+		}
+
+		plog(LLV_DEBUG, LOCATION, NULL, "Reload: Conf ok\n");
+		return 1;
+	}
+
+	plog(LLV_DEBUG, LOCATION, NULL, "Reload: No valid conf found\n");
+	return 0;
+}
+
+
+static int revalidate_ph1tree(void){
+	struct ph1handle *p, *next;
+
+	for (p = LIST_FIRST(&ph1tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
+
+		if (p->status == PHASE1ST_EXPIRED)
+			continue;
+
+		if(!revalidate_ph1(p))
+			remove_ph1(p);
+	}
+
+	return 1;
+}
+
+static int revalidate_ph2tree(void){
+	struct ph2handle *p, *next;
+
+	for (p = LIST_FIRST(&ph2tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
+
+		if (p->status == PHASE2ST_EXPIRED)
+			continue;
+
+		if(!revalidate_ph2(p)){
+			plog(LLV_DEBUG, LOCATION, NULL,
+				 "PH2 not validated, removing it\n");
+			remove_ph2(p);
+		}
+	}
+
+	return 1;
+}
+
+int 
+revalidate_ph12(void)
+{
+
+	revalidate_ph1tree_rmconf();
+
+	revalidate_ph2tree();
+	revalidate_ph1tree();
+
+	return 1;
+}
+
+#ifdef ENABLE_HYBRID
+struct ph1handle *
+getph1bylogin(login)
+	char *login;
+{
+	struct ph1handle *p;
+
+	LIST_FOREACH(p, &ph1tree, chain) {
+		if (p->mode_cfg == NULL)
+			continue;
+		if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0)
+			return p;
+	}
+
+	return NULL;
+}
+
+int
+purgeph1bylogin(login)
+	char *login;
+{
+	struct ph1handle *p;
+	int found = 0;
+
+	LIST_FOREACH(p, &ph1tree, chain) {
+		if (p->mode_cfg == NULL)
+			continue;
+		if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) {
+			if (p->status == PHASE1ST_ESTABLISHED)
+				isakmp_info_send_d1(p);
+			purge_remote(p);
+			found++;
+		}
+	}
+
+	return found;
+}
+#endif
--- a/crypto/dist/ipsec-tools/src/racoon/handler.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: handler.h,v 1.8 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: handler.h,v 1.9 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: handler.h,v 1.11.4.3 2005/05/07 17:26:05 manubsd Exp */
+/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -131,8 +131,10 @@
 	u_int8_t flags;			/* Flags */
 	u_int32_t msgid;		/* message id */
 
+#ifdef ENABLE_NATT
 	struct ph1natt_options *natt_options;	/* Selected NAT-T IKE version */
 	u_int32_t natt_flags;		/* NAT-T related flags */
+#endif
 #ifdef ENABLE_FRAG
 	int frag;			/* IKE phase 1 fragmentation */
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
@@ -167,7 +169,7 @@
 	struct genlist *rsa_candidates;	/* possible candidates for peer's RSA key */
 	vchar_t *id;			/* ID minus gen header */
 	vchar_t *id_p;			/* partner's ID minus general header */
-					/* i.e. strut ipsecdoi_id_b*. */
+					/* i.e. struct ipsecdoi_id_b*. */
 	struct isakmp_ivm *ivm;		/* IVs */
 
 	vchar_t *sa;			/* whole SA payload to send/to be sent*/
@@ -193,11 +195,13 @@
 	struct timeval end;
 #endif
 
+#ifdef ENABLE_DPD
 	int		dpd_support;	/* Does remote supports DPD ? */
 	time_t		dpd_lastack;	/* Last ack received */
 	u_int16_t	dpd_seq;		/* DPD seq number to receive */
 	u_int8_t	dpd_fails;		/* number of failures */
 	struct sched	*dpd_r_u;
+#endif
 
 	u_int32_t msgid2;		/* msgid counter for Phase 2 */
 	int ph2cnt;	/* the number which is negotiated by this phase 1 */
@@ -426,6 +430,10 @@
 extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
 	struct sockaddr *));
 extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
+#ifdef ENABLE_HYBRID
+struct ph1handle *getph1bylogin __P((char *));
+int purgeph1bylogin __P((char *));
+#endif
 extern vchar_t *dumpph1 __P((void));
 extern struct ph1handle *newph1 __P((void));
 extern void delph1 __P((struct ph1handle *));
@@ -470,4 +478,6 @@
 extern int exclude_cfg_addr __P((const struct sockaddr *));
 #endif
 
+extern int revalidate_ph12(void);
+
 #endif /* _HANDLER_H */
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: ipsec_doi.c,v 1.12 2005/11/21 14:20:29 manu Exp $	*/
-
-/* Id: ipsec_doi.c,v 1.26.2.15 2005/10/17 16:23:50 monas Exp */
+/*	$NetBSD: ipsec_doi.c,v 1.13 2006/09/09 16:22:09 manu Exp $	*/
+
+/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -276,10 +276,12 @@
 		plog(LLV_WARNING, LOCATION, NULL,
 			"invalid DH parameter found, use default.\n");
 		oakley_dhgrp_free(sa->dhgrp);
+		sa->dhgrp=NULL;
 	}
 
 	if (oakley_setdhgroup(sa->dh_group, &sa->dhgrp) == -1) {
 		sa->dhgrp = NULL;
+		racoon_free(sa);
 		return NULL;
 	}
 
@@ -287,7 +289,7 @@
 #ifdef HAVE_GSSAPI
 	if (sa->gssid != NULL)
 		plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%.*s'\n",
-		    sa->gssid->l, sa->gssid->v);
+		    (int)sa->gssid->l, sa->gssid->v);
 	if (iph1-> side == INITIATOR) {
 		if (iph1->rmconf->proposal->gssid != NULL)
 			iph1->gi_i = vdup(iph1->rmconf->proposal->gssid);
@@ -305,16 +307,20 @@
 	}
 	if (iph1->gi_i != NULL)
 		plog(LLV_DEBUG, LOCATION, NULL, "GIi is %.*s\n",
-		    iph1->gi_i->l, iph1->gi_i->v);
+		    (int)iph1->gi_i->l, iph1->gi_i->v);
 	if (iph1->gi_r != NULL)
 		plog(LLV_DEBUG, LOCATION, NULL, "GIr is %.*s\n",
-		    iph1->gi_r->l, iph1->gi_r->v);
+		    (int)iph1->gi_r->l, iph1->gi_r->v);
 #else
 	iph1->approval = sa;
 #endif
+	if(iph1->approval) {
+		plog(LLV_DEBUG, LOCATION, NULL, "agreed on %s auth.\n",
+		    s_oakley_attr_method(iph1->approval->authmethod));
+	}
 
 	newsa = get_sabyproppair(p, iph1);
-	if (newsa == NULL) {
+	if (newsa == NULL){
 		delisakmpsa(iph1->approval);
 		iph1->approval = NULL;
 	}
@@ -379,7 +385,7 @@
 					tsap->hashtype));
 		plog(LLV_DEBUG, LOCATION, NULL, "authmethod = %s:%s\n",
 			s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
-					authmethod),
+					s->authmethod),
 			s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
 					tsap->authmethod));
 		plog(LLV_DEBUG, LOCATION, NULL, "dh_group = %s:%s\n",
@@ -437,8 +443,10 @@
 	}
 
 found:
-	if (tsap->dhgrp != NULL)
+	if (tsap->dhgrp != NULL){
 		oakley_dhgrp_free(tsap->dhgrp);
+		tsap->dhgrp = NULL;
+	}
 
 	if ((s = dupisakmpsa(s)) != NULL) {
 		switch(check_level) {
@@ -463,7 +471,6 @@
 			break;
 		}
 	}
-
 	return s;
 }
 
@@ -533,8 +540,10 @@
 		}
 	}
 
-	if (sa.dhgrp != NULL)
+	if (sa.dhgrp != NULL){
 		oakley_dhgrp_free(sa.dhgrp);
+		sa.dhgrp=NULL;
+	}
 }
 
 /*
@@ -758,8 +767,8 @@
 				sa->gssid = vmalloc(len);
 				memcpy(sa->gssid->v, d + 1, len);
 				plog(LLV_DEBUG, LOCATION, NULL,
-				  "received old-style gss id '%.*s' (len %d)\n",
-				  sa->gssid->l, sa->gssid->v, sa->gssid->l);
+				  "received old-style gss id '%.*s' (len %zu)\n",
+				  (int)sa->gssid->l, sa->gssid->v, sa->gssid->l);
 				break;
 			}
 
@@ -813,8 +822,8 @@
 			sa->gssid->l = (len / 2) - dstleft;
 
 			plog(LLV_DEBUG, LOCATION, NULL,
-			    "received gss id '%.*s' (len %d)\n",
-			    sa->gssid->l, sa->gssid->v, sa->gssid->l);
+			    "received gss id '%.*s' (len %zu)\n",
+			    (int)sa->gssid->l, sa->gssid->v, sa->gssid->l);
 			break;
 		}
 #endif /* HAVE_GSSAPI */
@@ -1166,7 +1175,8 @@
 
     {
 	struct saproto *sp;
-	struct prop_pair *p, *n, *x;
+	struct prop_pair *p, *x;
+	struct prop_pair *n = NULL;
 
 	ret = NULL;
 
@@ -1190,8 +1200,11 @@
 		if (!x)
 			goto err;	/* XXX */
 
+		if (n != NULL)
+			racoon_free(n);
+
 		n = racoon_calloc(1, sizeof(struct prop_pair));
-		if (!n) {
+		if (n == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"failed to get buffer.\n");
 			goto err;
@@ -1263,7 +1276,7 @@
 	vchar_t *sa;
 	int mode;
 {
-	struct prop_pair **pair;
+	struct prop_pair **pair = NULL;
 	int num_p = 0;			/* number of proposal for use */
 	int tlen;
 	caddr_t bp;
@@ -1277,22 +1290,22 @@
 	if (sa->l < sizeof(*sab)) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"Invalid SA length = %zu.\n", sa->l);
-		return NULL;
+		goto bad;
 	}
 
 	/* check DOI */
 	if (check_doi(ntohl(sab->doi)) < 0)
-		return NULL;
+		goto bad;
 
 	/* check SITUATION */
 	if (check_situation(ntohl(sab->sit)) < 0)
-		return NULL;
+		goto bad;
 
 	pair = racoon_calloc(1, MAXPROPPAIRLEN * sizeof(*pair));
 	if (pair == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to get buffer.\n");
-		return NULL;
+		goto bad;
 	}
 	memset(pair, 0, sizeof(pair));
 
@@ -1307,7 +1320,7 @@
 
 	pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, tlen);
 	if (pbuf == NULL)
-		return NULL;
+		goto bad;
 
 	for (pa = (struct isakmp_parse_t *)pbuf->v;
 	     pa->type != ISAKMP_NPTYPE_NONE;
@@ -1317,7 +1330,7 @@
 			plog(LLV_ERROR, LOCATION, NULL,
 				"Invalid payload type=%u\n", pa->type);
 			vfree(pbuf);
-			return NULL;
+			goto bad;
 		}
 
 		prop = (struct isakmp_pl_p *)pa->ptr;
@@ -1330,7 +1343,7 @@
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid proposal with length %d\n", proplen);
 			vfree(pbuf);
-			return NULL;
+			goto bad;
 		}
 
 		/* check Protocol ID */
@@ -1350,7 +1363,7 @@
 		/* get transform */
 		if (get_transform(prop, pair, &num_p) < 0) {
 			vfree(pbuf);
-			return NULL;
+			goto bad;
 		}
 	}
 	vfree(pbuf);
@@ -1412,10 +1425,14 @@
 	if (num_p <= 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"no Proposal found.\n");
-		return NULL;
+		goto bad;
 	}
 
 	return pair;
+bad:
+	if (pair != NULL)
+		racoon_free(pair);
+	return NULL;
 }
 
 /*
@@ -1660,8 +1677,8 @@
 	struct saprop *pp0;
 	vchar_t *sa0;
 {
-	struct prop_pair **pair;
-	vchar_t *newsa;
+	struct prop_pair **pair = NULL;
+	vchar_t *newsa = NULL;
 	int newtlen;
 	u_int8_t *np_p = NULL;
 	struct prop_pair *p = NULL;
@@ -1674,13 +1691,13 @@
 	/* get proposal pair */
 	pair = get_proppair(sa0, IPSECDOI_TYPE_PH2);
 	if (pair == NULL)
-		return NULL;
+		goto bad;
 
 	newtlen = sizeof(struct ipsecdoi_sa_b);
 	for (pp = pp0; pp; pp = pp->next) {
 
 		if (pair[pp->prop_no] == NULL)
-			return NULL;
+			goto bad;
 
 		for (pr = pp->head; pr; pr = pr->next) {
 			newtlen += (sizeof(struct isakmp_pl_p)
@@ -1692,7 +1709,7 @@
 						break;
 				}
 				if (p == NULL)
-					return NULL;
+					goto bad;
 
 				newtlen += ntohs(p->trns->h.len);
 			}
@@ -1702,7 +1719,7 @@
 	newsa = vmalloc(newtlen);
 	if (newsa == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n");
-		return NULL;
+		goto bad;
 	}
 	bp = newsa->v;
 
@@ -1723,7 +1740,7 @@
 						break;
 				}
 				if (p == NULL)
-					return NULL;
+					goto bad;
 
 				trnslen = ntohs(p->trns->h.len);
 
@@ -1749,6 +1766,13 @@
 	}
 
 	return newsa;
+
+bad:
+	if (newsa != NULL)
+		vfree(newsa);
+	if (pair != NULL)
+		racoon_free(pair);
+	return NULL;
 }
 
 /*
@@ -2087,20 +2111,32 @@
 			case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
 			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-#endif  
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+#if 0 /* Clashes with OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB */
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
+#endif
+#endif
 			case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
 				break;
 			case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 #ifdef ENABLE_HYBRID
-			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
 			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
 			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
 #endif
 			case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 			case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
 				plog(LLV_ERROR, LOCATION, NULL,
-					"auth method %d isn't supported.\n",
-					lorv);
+					"auth method %s isn't supported.\n",
+					s_oakley_attr_method(lorv));
 				return -1;
 			default:
 				plog(LLV_ERROR, LOCATION, NULL,
@@ -2806,8 +2842,8 @@
 		else
 			attrlen += sa->gssid->l * 2;
 		if (buf) {
-			plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %d, "
-			    "val '%.*s'\n", sa->gssid->l, sa->gssid->l,
+			plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %zu, "
+			    "val '%.*s'\n", sa->gssid->l, (int)sa->gssid->l,
 			    sa->gssid->v);
 			if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) {
 				p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID,
@@ -3364,9 +3400,8 @@
 
 			switch (id->idtype) {
 			case IDTYPE_ASN1DN:
-				ident.v = (caddr_t)(id_b + 1);
-				ident.l = iph1->id_p->l - 1; /* had ident.l = ident0->l; but why?? */
-				      /* is the actual packet contents length sometimes wrong? */
+				ident.v = iph1->id_p->v + sizeof(*id_b);
+				ident.l = iph1->id_p->l - sizeof(*id_b);
 				if (eay_cmp_asn1dn(ident0, &ident) == 0)
 					goto matched;
 				break;
@@ -3560,6 +3595,15 @@
 	vchar_t **vpp, *value;
 	int type;
 {
+	return set_identifier_qual(vpp, type, value, IDQUAL_UNSPEC);
+}
+
+int
+set_identifier_qual(vpp, type, value, qual)
+	vchar_t **vpp, *value;
+	int type;
+	int qual;
+{
 	vchar_t *new = NULL;
 
 	/* simply return if value is null. */
@@ -3580,9 +3624,6 @@
 				 "Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
 			return -1;
 		}
-#ifdef ENABLE_HYBRID
-	case IDTYPE_LOGIN:
-#endif
 		/* length is adjusted since QUOTEDSTRING teminates NULL. */
 		new = vmalloc(value->l - 1);
 		if (new == NULL)
@@ -3590,31 +3631,54 @@
 		memcpy(new->v, value->v, new->l);
 		break;
 	case IDTYPE_KEYID:
-	{
-		FILE *fp;
-		char b[512];
-		int tlen, len;
-
-		fp = fopen(value->v, "r");
-		if (fp == NULL) {
+		/* 
+		 * If no qualifier is specified: IDQUAL_UNSPEC. It means
+		 * to use a file for backward compatibility sake. 
+		 */
+		switch(qual) {
+		case IDQUAL_FILE:
+		case IDQUAL_UNSPEC: {
+			FILE *fp;
+			char b[512];
+			int tlen, len;
+
+			fp = fopen(value->v, "r");
+			if (fp == NULL) {
+				plog(LLV_ERROR, LOCATION, NULL,
+					"can not open %s\n", value->v);
+				return -1;
+			}
+			tlen = 0;
+			while ((len = fread(b, 1, sizeof(b), fp)) != 0) {
+				new = vrealloc(new, tlen + len);
+				if (!new) {
+					fclose(fp);
+					return -1;
+				}
+				memcpy(new->v + tlen, b, len);
+				tlen += len;
+			}
+			break;
+		}
+
+		case IDQUAL_TAG:
+			new = vmalloc(value->l - 1);
+			if (new == NULL) {
+				plog(LLV_ERROR, LOCATION, NULL,
+					"can not allocate memory");
+				return -1;
+			}
+			memcpy(new->v, value->v, new->l);
+			break;
+
+		default:
 			plog(LLV_ERROR, LOCATION, NULL,
-				"can not open %s\n", value->v);
+				"unknown qualifier");
 			return -1;
 		}
-		tlen = 0;
-		while ((len = fread(b, 1, sizeof(b), fp)) != 0) {
-			new = vrealloc(new, tlen + len);
-			if (!new) {
-				fclose(fp);
-				return -1;
-			}
-			memcpy(new->v + tlen, b, len);
-			tlen += len;
-		}
 		break;
-	}
-	case IDTYPE_ADDRESS:
-	{
+	
+	case IDTYPE_ADDRESS: {
 		struct sockaddr *sa;
 
 		/* length is adjusted since QUOTEDSTRING teminates NULL. */
@@ -3629,9 +3693,12 @@
 		}
 
 		new = vmalloc(sysdep_sa_len(sa));
-		if (new == NULL)
+		if (new == NULL) {
+			racoon_free(sa);
 			return -1;
+		}
 		memcpy(new->v, sa, new->l);
+		racoon_free(sa);
 		break;
 	}
 	case IDTYPE_ASN1DN:
@@ -3818,6 +3885,71 @@
 	return new;
 }
 
+vchar_t *
+ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
+	struct sockaddr *laddr, *haddr;
+	u_int ul_proto;
+{
+	vchar_t *new;
+	int type, len1, len2;
+	u_short port;
+
+	if (laddr->sa_family != haddr->sa_family) {
+	    plog(LLV_ERROR, LOCATION, NULL, "Address family mismatch\n");
+	    return NULL;
+	}
+
+	switch (laddr->sa_family) {
+	case AF_INET:
+	    type = IPSECDOI_ID_IPV4_ADDR_RANGE;
+	    len1 = sizeof(struct in_addr);
+	    len2 = sizeof(struct in_addr);
+	    break;
+#ifdef INET6
+	case AF_INET6:
+		type = IPSECDOI_ID_IPV6_ADDR_RANGE;
+		len1 = sizeof(struct in6_addr);
+		len2 = sizeof(struct in6_addr);
+		break;
+#endif
+	default:
+		plog(LLV_ERROR, LOCATION, NULL,
+			"invalid family: %d.\n", laddr->sa_family);
+		return NULL;
+	}
+
+	/* get ID buffer */
+	new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2);
+	if (new == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to get ID buffer.\n");
+		return NULL;
+	}
+
+	memset(new->v, 0, new->l);
+	/* set the part of header. */
+	((struct ipsecdoi_id_b *)new->v)->type = type;
+
+	/* set ul_proto and port */
+	/*
+	 * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
+	 * because 0 means port number of 0.  Instead of 0, we use IPSEC_*_ANY.
+	 */
+	((struct ipsecdoi_id_b *)new->v)->proto_id =
+		ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
+	port = ((struct sockaddr_in *)(laddr))->sin_port;
+	((struct ipsecdoi_id_b *)new->v)->port =
+		port == IPSEC_PORT_ANY ? 0 : port;
+	memcpy(new->v + sizeof(struct ipsecdoi_id_b), 
+	       (caddr_t)&((struct sockaddr_in *)(laddr))->sin_addr, 
+	       len1);
+	memcpy(new->v + sizeof(struct ipsecdoi_id_b) + len1, 
+	       (caddr_t)&((struct sockaddr_in *)haddr)->sin_addr,
+	       len2);
+	return new;
+}
+
+
 /*
  * create sockaddr structure from ID payload (buf).
  * buffers (saddr, prefixlen, ul_proto) must be allocated.
@@ -3950,16 +4082,195 @@
 /*
  * make printable string from ID payload except of general header.
  */
-const char *
+char *
 ipsecdoi_id2str(id)
 	const vchar_t *id;
 {
-	static char buf[256];
-
-	/* XXX */
-	buf[0] = '\0';
-
-	return buf;
+#define BUFLEN 512
+	char * ret = NULL;
+	int len = 0;
+	char *dat;
+	static char buf[BUFLEN];
+	struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
+	struct sockaddr saddr;
+	u_int plen = 0;
+
+	switch (id_b->type) {
+	case IPSECDOI_ID_IPV4_ADDR:
+	case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+	case IPSECDOI_ID_IPV4_ADDR_RANGE:
+
+		saddr.sa_len = sizeof(struct sockaddr_in);
+		saddr.sa_family = AF_INET;
+		((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
+		memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
+			id->v + sizeof(*id_b), sizeof(struct in_addr));
+		break;
+#ifdef INET6
+	case IPSECDOI_ID_IPV6_ADDR:
+	case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+	case IPSECDOI_ID_IPV6_ADDR_RANGE:
+
+		saddr.sa_len = sizeof(struct sockaddr_in6);
+		saddr.sa_family = AF_INET6;
+		((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
+		memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
+			id->v + sizeof(*id_b), sizeof(struct in6_addr));
+		break;
+#endif
+	}
+
+	switch (id_b->type) {
+	case IPSECDOI_ID_IPV4_ADDR:
+#ifdef INET6
+	case IPSECDOI_ID_IPV6_ADDR:
+#endif
+		len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr));
+		break;
+
+	case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+#ifdef INET6
+	case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+#endif
+	    {
+		u_char *p;
+		u_int max;
+		int alen = sizeof(struct in_addr);
+
+		switch (id_b->type) {
+		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+			alen = sizeof(struct in_addr);
+			break;
+#ifdef INET6
+		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+			alen = sizeof(struct in6_addr);
+			break;
+#endif
+		}
+
+		/* sanity check */
+		if (id->l < alen) {
+			len = 0;
+			break;
+		}
+
+		/* get subnet mask length */
+		plen = 0;
+		max = alen <<3;
+
+		p = (unsigned char *) id->v
+			+ sizeof(struct ipsecdoi_id_b)
+			+ alen;
+
+		for (; *p == 0xff; p++) {
+			if (plen >= max)
+				break;
+			plen += 8;
+		}
+
+		if (plen < max) {
+			u_int l = 0;
+			u_char b = ~(*p);
+
+			while (b) {
+				b >>= 1;
+				l++;
+			}
+
+			l = 8 - l;
+			plen += l;
+		}
+
+		len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr), plen);
+	    }
+		break;
+
+	case IPSECDOI_ID_IPV4_ADDR_RANGE:
+
+		len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));
+
+		saddr.sa_len = sizeof(struct sockaddr_in);
+		saddr.sa_family = AF_INET;
+		((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
+		memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
+			id->v + sizeof(*id_b) + sizeof(struct in_addr),
+			sizeof(struct in_addr));
+
+		len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));
+
+		break;
+
+#ifdef INET6
+	case IPSECDOI_ID_IPV6_ADDR_RANGE:
+
+		len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));
+
+		saddr.sa_len = sizeof(struct sockaddr_in6);
+		saddr.sa_family = AF_INET6;
+		((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
+		memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
+			id->v + sizeof(*id_b) + sizeof(struct in6_addr),
+			sizeof(struct in6_addr));
+
+		len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));
+
+		break;
+#endif
+
+	case IPSECDOI_ID_FQDN:
+	case IPSECDOI_ID_USER_FQDN:
+		len = id->l - sizeof(*id_b);
+		if (len > BUFLEN)
+			len = BUFLEN;
+		memcpy(buf, id->v + sizeof(*id_b), len);
+		break;
+
+	case IPSECDOI_ID_DER_ASN1_DN:
+	case IPSECDOI_ID_DER_ASN1_GN:
+	{
+		dat = id->v + sizeof(*id_b);
+		len = id->l - sizeof(*id_b);
+
+		X509_NAME *xn = NULL;
+		if (d2i_X509_NAME(&xn, (void*) &dat, len) != NULL) {
+			BIO *bio = BIO_new(BIO_s_mem());
+			X509_NAME_print_ex(bio, xn, 0, 0);
+			len = BIO_get_mem_data(bio, &dat);
+			if (len > BUFLEN)
+				len = BUFLEN;
+			memcpy(buf,dat,len);
+			BIO_free(bio);
+			X509_NAME_free(xn);
+		} else {
+			plog(LLV_ERROR, LOCATION, NULL,
+				"unable to extract asn1dn from id\n");
+
+			len = sprintf(buf, "<ASN1-DN>");
+		}
+
+		break;
+	}
+
+	/* currently unhandled id types */
+	case IPSECDOI_ID_KEY_ID:
+		len = sprintf( buf, "<KEY-ID>");
+		break;
+
+	default:
+		plog(LLV_ERROR, LOCATION, NULL,
+			"unknown ID type %d\n", id_b->type);
+	}
+
+	if (!len)
+		len = sprintf( buf, "<?>");
+
+	ret = racoon_malloc(len+1);
+	if (ret != NULL) {
+		memcpy(ret,buf,len);
+		ret[len]=0;
+	}
+
+	return ret;
 }
 
 /*
@@ -4218,9 +4529,6 @@
 	255,    /*			   IDTYPE_ADDRESS, 4 
 		 * it expands into 4 types by another function. */
 	IPSECDOI_ID_DER_ASN1_DN,	/* IDTYPE_ASN1DN, 5 */
-#ifdef ENABLE_HYBRID
-	255,				/* IDTYPE_LOGIN, 6 */
-#endif
 };
 
 /*
@@ -4276,16 +4584,16 @@
 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
 		authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I;
 		break;
-	/* Those are not implemented */
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
 		authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
 		break;
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+		authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
+		break;
+	/* Those are not implemented */
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
 		authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I;
 		break;
-	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-		authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
-		break;
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
 		authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I;
 		break;
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: ipsec_doi.h,v 1.5 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: ipsec_doi.h,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: ipsec_doi.h,v 1.9.2.2 2005/10/17 16:23:50 monas Exp */
+/* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -181,8 +181,12 @@
 #define IDTYPE_KEYID		3
 #define IDTYPE_ADDRESS		4
 #define IDTYPE_ASN1DN		5
-#define IDTYPE_LOGIN		6
-#define IDTYPE_SUBNET		7
+#define IDTYPE_SUBNET		6
+
+/* qualifiers for KEYID (and maybe others) */
+#define IDQUAL_UNSPEC		0
+#define IDQUAL_FILE		1
+#define IDQUAL_TAG		2
 
 /* The use for checking proposal payload. This is not exchange type. */
 #define IPSECDOI_TYPE_PH1	0
@@ -206,11 +210,14 @@
 extern int ipsecdoi_checkid1 __P((struct ph1handle *));
 extern int ipsecdoi_setid1 __P((struct ph1handle *));
 extern int set_identifier __P((vchar_t **, int, vchar_t *));
+extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
 extern int ipsecdoi_setid2 __P((struct ph2handle *));
 extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
 extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
 	u_int8_t *, u_int16_t *));
-extern const char *ipsecdoi_id2str __P((const vchar_t *));
+extern char *ipsecdoi_id2str __P((const vchar_t *));
+extern vchar_t *ipsecdoi_sockrange2id __P((	struct sockaddr *,
+	struct sockaddr *, u_int));
 
 extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
 extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp.c,v 1.11 2005/11/21 14:20:29 manu Exp $	*/
-
-/* Id: isakmp.c,v 1.34.2.20 2005/09/26 16:12:20 manubsd Exp */
+/*	$NetBSD: isakmp.c,v 1.12 2006/09/09 16:22:09 manu Exp $	*/
+
+/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,9 @@
 #include <unistd.h>
 #endif
 #include <ctype.h>
-#include <fcntl.h>
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
 
 #include "var.h"
 #include "misc.h"
@@ -86,7 +88,6 @@
 #include "oakley.h"
 #include "evt.h"
 #include "handler.h"
-#include "proposal.h"
 #include "ipsec_doi.h"
 #include "pfkey.h"
 #include "crypto_openssl.h"
@@ -98,7 +99,9 @@
 #include "isakmp_inf.h"
 #include "isakmp_newg.h"
 #ifdef ENABLE_HYBRID
+#include "vendorid.h"
 #include "isakmp_xauth.h"
+#include "isakmp_unity.h"
 #include "isakmp_cfg.h"
 #endif
 #ifdef ENABLE_FRAG
@@ -106,17 +109,18 @@
 #endif
 #include "strnames.h"
 
+#include <fcntl.h>
+
 #ifdef ENABLE_NATT
 # include "nattraversal.h"
 # ifdef __linux__
 #  include <linux/udp.h>
-#include <fcntl.h>
-
 #  ifndef SOL_UDP
 #   define SOL_UDP 17
 #  endif
 # endif /* __linux__ */
-# if defined(__NetBSD__) || defined(__FreeBSD__)
+# if defined(__NetBSD__) || defined(__FreeBSD__) ||	\
+  (defined(__APPLE__) && defined(__MACH__))
 #  include <netinet/in.h>
 #  include <netinet/udp.h>
 #  define SOL_UDP IPPROTO_UDP
@@ -303,8 +307,6 @@
 	
 	memcpy (buf->v, tmpbuf->v + extralen, buf->l);
 
-	vfree (tmpbuf);
-
 	len -= extralen;
 	
 	if (len != buf->l) {
@@ -364,6 +366,8 @@
 	error = 0;
 
 end:
+	if (tmpbuf != NULL)
+		vfree(tmpbuf);
 	if (buf != NULL)
 		vfree(buf);
 
@@ -457,10 +461,26 @@
 			/* prevent memory leak */
 			racoon_free(iph1->remote);
 			racoon_free(iph1->local);
+			iph1->remote = NULL;
+			iph1->local = NULL;
 
 			/* copy-in new addresses */
 			iph1->remote = dupsaddr(remote);
+			if (iph1->remote == NULL) {
+           			plog(LLV_ERROR, LOCATION, iph1->remote,
+				   "phase1 failed: dupsaddr failed.\n");
+				remph1(iph1);
+				delph1(iph1);
+				return -1;
+			}
 			iph1->local = dupsaddr(local);
+			if (iph1->local == NULL) {
+           			plog(LLV_ERROR, LOCATION, iph1->remote,
+				   "phase1 failed: dupsaddr failed.\n");
+				remph1(iph1);
+				delph1(iph1);
+				return -1;
+			}
 
 			/* set the flag to prevent further port floating
 			   (FIXME: should we allow it? E.g. when the NAT gw 
@@ -480,8 +500,10 @@
 		if (cmpsaddrstrict(iph1->remote, remote) != 0) {
 			char *saddr_db, *saddr_act;
 
-			saddr_db = strdup(saddr2str(iph1->remote));
-			saddr_act = strdup(saddr2str(remote));
+			saddr_db = racoon_strdup(saddr2str(iph1->remote));
+			saddr_act = racoon_strdup(saddr2str(remote));
+			STRDUP_FATAL(saddr_db);
+			STRDUP_FATAL(saddr_act);
 
 			plog(LLV_WARNING, LOCATION, remote,
 				"remote address mismatched. db=%s, act=%s\n",
@@ -632,7 +654,13 @@
 					isakmp->msgid));
 			return -1;
 		}
-
+#ifdef ENABLE_HYBRID
+		/* Reinit the IVM if it's still there */		
+		if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
+			oakley_delivm(iph1->mode_cfg->ivm);
+			iph1->mode_cfg->ivm = NULL;
+		}
+#endif
 #ifdef ENABLE_FRAG
 		if (isakmp->np == ISAKMP_NPTYPE_FRAG)
 			return frag_handler(iph1, msg, remote, local);
@@ -818,9 +846,14 @@
 		    isakmp_ph1expire_stub, iph1);
 #ifdef ENABLE_HYBRID
 		if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
-			switch(iph1->approval->authmethod) {
-			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+			switch(AUTHMETHOD(iph1)) {
+			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
 				xauth_sendreq(iph1);
 				/* XXX Don't process INITIAL_CONTACT */
 				iph1->rmconf->ini_contact = 0;
@@ -860,8 +893,24 @@
 		 * case it is done when we receive the configuration.
 		 */
 		if ((iph1->status == PHASE1ST_ESTABLISHED) &&
-		    !iph1->rmconf->mode_cfg)
-			script_hook(iph1, SCRIPT_PHASE1_UP);	
+		    !iph1->rmconf->mode_cfg) { 
+			switch (AUTHMETHOD(iph1)) {
+#ifdef ENABLE_HYBRID
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+			/* Unimplemeted... */
+			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+				break;
+#endif
+			default:
+				script_hook(iph1, SCRIPT_PHASE1_UP);
+				break;
+			}
+		}
 	}
 
 	return 0;
@@ -974,8 +1023,11 @@
 	iph1->gssapi_state = NULL;
 #endif
 #ifdef ENABLE_HYBRID
-	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
+	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
+		remph1(iph1);
+		delph1(iph1);
 		return -1;
+	}
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
@@ -984,8 +1036,11 @@
 	iph1->approval = NULL;
 
 	/* XXX copy remote address */
-	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
+	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
+		remph1(iph1);
+		delph1(iph1);
 		return -1;
+	}
 
 	(void)insph1(iph1);
 
@@ -996,7 +1051,9 @@
     {
 	char *a;
 
-	a = strdup(saddr2str(iph1->local));
+	a = racoon_strdup(saddr2str(iph1->local));
+	STRDUP_FATAL(a);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"initiate new phase 1 negotiation: %s<=>%s\n",
 		a, saddr2str(iph1->remote));
@@ -1081,8 +1138,11 @@
 	iph1->gssapi_state = NULL;
 #endif
 #ifdef ENABLE_HYBRID
-	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
+	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
+		remph1(iph1);
+		delph1(iph1);
 		return -1;
+	}
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
@@ -1100,8 +1160,11 @@
 #endif
 
 	/* copy remote address */
-	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
+	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
+		remph1(iph1);
+		delph1(iph1);
 		return -1;
+	}
 
 	(void)insph1(iph1);
 
@@ -1109,7 +1172,9 @@
     {
 	char *a;
 
-	a = strdup(saddr2str(iph1->local));
+	a = racoon_strdup(saddr2str(iph1->local));
+	STRDUP_FATAL(a);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"respond new phase 1 negotiation: %s<=>%s\n",
 		a, saddr2str(iph1->remote));
@@ -1165,7 +1230,9 @@
 	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
     {
 	char *a;
-	a = strdup(saddr2str(iph2->src));
+	a = racoon_strdup(saddr2str(iph2->src));
+	STRDUP_FATAL(a);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"initiate new phase 2 negotiation: %s<=>%s\n",
 		a, saddr2str(iph2->dst));
@@ -1235,13 +1302,13 @@
 	}
 	switch (iph2->dst->sa_family) {
 	case AF_INET:
-#ifndef ENABLE_NATT
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in *)iph2->dst)->sin_port = 0;
 #endif
 		break;
 #ifdef INET6
 	case AF_INET6:
-#ifndef ENABLE_NATT
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
 #endif
 		break;
@@ -1260,13 +1327,13 @@
 	}
 	switch (iph2->src->sa_family) {
 	case AF_INET:
-#ifndef ENABLE_NATT
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in *)iph2->src)->sin_port = 0;
 #endif
 		break;
 #ifdef INET6
 	case AF_INET6:
-#ifndef ENABLE_NATT
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
 #endif
 		break;
@@ -1286,7 +1353,9 @@
     {
 	char *a;
 
-	a = strdup(saddr2str(iph2->src));
+	a = racoon_strdup(saddr2str(iph2->src));
+	STRDUP_FATAL(a);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"respond new phase 2 negotiation: %s<=>%s\n",
 		a, saddr2str(iph2->dst));
@@ -1554,6 +1623,10 @@
 			goto err_and_next;
 		}
 
+		if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
+			plog(LLV_WARNING, LOCATION, NULL,
+				"failed to put socket in non-blocking mode\n");
+
 		/* receive my interface address on inbound packets. */
 		switch (p->addr->sa_family) {
 		case AF_INET:
@@ -1565,7 +1638,8 @@
 #endif
 					(const void *)&yes, sizeof(yes)) < 0) {
 				plog(LLV_ERROR, LOCATION, NULL,
-					"setsockopt (%s)\n", strerror(errno));
+					"setsockopt IP_RECVDSTADDR (%s)\n", 
+					strerror(errno));
 				goto err_and_next;
 			}
 			break;
@@ -1584,12 +1658,8 @@
 					(const void *)&yes, sizeof(yes)) < 0)
 			{
 				plog(LLV_ERROR, LOCATION, NULL,
-					"setsockopt(%d): %s\n",
+					"setsockopt IPV6_RECVDSTADDR (%d):%s\n",
 					pktinfo, strerror(errno));
-		if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
-			plog(LLV_WARNING, LOCATION, NULL,
-				"failed to put socket in non-blocking mode\n");
-
 				goto err_and_next;
 			}
 			break;
@@ -1601,7 +1671,8 @@
 		    setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
 		    (void *)&yes, sizeof(yes)) < 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "setsockopt (%s)\n", strerror(errno));
+			    "setsockopt IPV6_USE_MIN_MTU (%s)\n", 
+			    strerror(errno));
 			return -1;
 		}
 #endif
@@ -1635,11 +1706,11 @@
 				option = UDP_ENCAP_ESPINUDP_NON_IKE;
 #endif
 			if(option != -1){
-				if (setsockopt (p->sock, SOL_UDP, UDP_ENCAP,
-								&option, sizeof (option)) < 0) {
+				if (setsockopt (p->sock, SOL_UDP, 
+				    UDP_ENCAP, &option, sizeof (option)) < 0) {
 					plog(LLV_WARNING, LOCATION, NULL,
-						 "setsockopt(%s): %s\n",
-						 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
+					    "setsockopt(%s): UDP_ENCAP %s\n",
+					    option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
 						 strerror(errno));
 					goto skip_encap;
 				}
@@ -1729,7 +1800,11 @@
 	   must added just before the packet itself. For this we must 
 	   allocate a new buffer and release it at the end. */
 	if (extralen) {
-		vbuf = vmalloc (sbuf->l + extralen);
+		if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "vbuf allocation failed\n");
+			return -1;
+		}
 		*(u_int32_t *)vbuf->v = 0;
 		memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
 		sbuf = vbuf;
@@ -1761,6 +1836,7 @@
 	{
 		len = sendfromto(s, sbuf->v, sbuf->l,
 		    iph1->local, iph1->remote, lcconf->count_persend);
+
 		if (len == -1) {
 			plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
 			if ( vbuf != NULL )
@@ -1799,8 +1875,13 @@
 		return -1;
 	}
 
-	if (isakmp_send(iph1, iph1->sendbuf) < 0)
+	if (isakmp_send(iph1, iph1->sendbuf) < 0){
+		iph1->retry_counter--;
+
+		iph1->scr = sched_new(iph1->rmconf->retry_interval,
+							  isakmp_ph1resend_stub, iph1);
 		return -1;
+	}
 
 	plog(LLV_DEBUG, LOCATION, NULL,
 		"resend phase1 packet %s\n",
@@ -1871,8 +1952,11 @@
 	SCHED_KILL(iph1->sce);
 
 	if(iph1->status != PHASE1ST_EXPIRED){
-		src = strdup(saddr2str(iph1->local));
-		dst = strdup(saddr2str(iph1->remote));
+		src = racoon_strdup(saddr2str(iph1->local));
+		dst = racoon_strdup(saddr2str(iph1->remote));
+		STRDUP_FATAL(src);
+		STRDUP_FATAL(dst);
+
 		plog(LLV_INFO, LOCATION, NULL,
 			 "ISAKMP-SA expired %s-%s spi:%s\n",
 			 src, dst,
@@ -1917,8 +2001,11 @@
 
 	/* don't re-negosiation when the phase 1 SA expires. */
 
-	src = strdup(saddr2str(iph1->local));
-	dst = strdup(saddr2str(iph1->remote));
+	src = racoon_strdup(saddr2str(iph1->local));
+	dst = racoon_strdup(saddr2str(iph1->remote));
+	STRDUP_FATAL(src);
+	STRDUP_FATAL(dst);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"ISAKMP-SA deleted %s-%s spi:%s\n",
 		src, dst, isakmp_pindex(&iph1->index, 0));
@@ -1954,8 +2041,11 @@
 
 	SCHED_KILL(iph2->sce);
 
-	src = strdup(saddrwop2str(iph2->src));
-	dst = strdup(saddrwop2str(iph2->dst));
+	src = racoon_strdup(saddrwop2str(iph2->src));
+	dst = racoon_strdup(saddrwop2str(iph2->dst));
+	STRDUP_FATAL(src);
+	STRDUP_FATAL(dst);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"phase2 sa expired %s-%s\n", src, dst);
 	racoon_free(src);
@@ -1985,8 +2075,11 @@
 
 	SCHED_KILL(iph2->sce);
 
-	src = strdup(saddrwop2str(iph2->src));
-	dst = strdup(saddrwop2str(iph2->dst));
+	src = racoon_strdup(saddrwop2str(iph2->src));
+	dst = racoon_strdup(saddrwop2str(iph2->dst));
+	STRDUP_FATAL(src);
+	STRDUP_FATAL(dst);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"phase2 sa deleted %s-%s\n", src, dst);
 	racoon_free(src);
@@ -2012,6 +2105,8 @@
 {
 	struct remoteconf *rmconf;
 	struct ph1handle *iph1 = NULL;
+	
+	plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
 
 	/* search appropreate configuration with masking port. */
 	rmconf = getrmconf(iph2->dst);
@@ -2817,13 +2912,20 @@
 {
 	char *src, *dst;
 
-	src = strdup(saddr2str(iph1->local));
-	dst = strdup(saddr2str(iph1->remote));
+	src = racoon_strdup(saddr2str(iph1->local));
+	dst = racoon_strdup(saddr2str(iph1->remote));
+	STRDUP_FATAL(src);
+	STRDUP_FATAL(dst);
+
 	plog(LLV_INFO, LOCATION, NULL,
 		"ISAKMP-SA established %s-%s spi:%s\n",
 		src, dst,
 		isakmp_pindex(&iph1->index, 0));
+	
 	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
+	if(!iph1->rmconf->mode_cfg)
+		EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);
+
 	racoon_free(src);
 	racoon_free(dst);
 
@@ -2853,21 +2955,13 @@
 vchar_t * 
 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
 {
-	struct payload_list *ptr, *first;
+	struct payload_list *ptr = *plist, *first;
 	size_t tlen = sizeof (struct isakmp), n = 0;
-	vchar_t *buf;
+	vchar_t *buf = NULL;
 	char *p;
 
-	if (plist == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "in isakmp_plist_set_all: plist == NULL\n");
-		return NULL;
-	}
-
 	/* Seek to the first item.  */
-	ptr = *plist;
-	while (ptr->prev)
-		ptr = ptr->prev;
+	while (ptr->prev) ptr = ptr->prev;
 	first = ptr;
 	
 	/* Compute the whole length.  */
@@ -2903,6 +2997,8 @@
 
 	return buf;
 end:
+	if (buf != NULL)
+		vfree(buf);
 	return NULL;
 }
 
@@ -2943,7 +3039,9 @@
 	struct sockaddr_in *sin;
 	char **c;
 
-	if (iph1->rmconf->script[script] == -1)
+	if (iph1 == NULL ||
+		iph1->rmconf == NULL ||
+		iph1->rmconf->script[script] == NULL)
 		return;
 
 #ifdef ENABLE_HYBRID
@@ -2980,7 +3078,7 @@
 		goto out;
 	}
 
-	if (privsep_script_exec(iph1->rmconf->script[script], 
+	if (privsep_script_exec(iph1->rmconf->script[script]->v, 
 	    script, envp) != 0) 
 		plog(LLV_ERROR, LOCATION, NULL, 
 		    "Script %s execution failed\n", script_names[script]);
@@ -3018,6 +3116,7 @@
 	if (newenvp == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 		    "Cannot allocate memory: %s\n", strerror(errno));
+		racoon_free(envitem);
 		return -1;
 	}
 
@@ -3031,22 +3130,13 @@
 
 int
 script_exec(script, name, envp)
-	int script;
+	char *script;
 	int name;
 	char *const envp[];
 {
 	char *argv[] = { NULL, NULL, NULL };
-	vchar_t **sp;
-
-	if (script_paths == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		    "privsep_script_exec: script_paths was not initialized\n");
-		return -1;
-	}
-
-	sp = (vchar_t **)(script_paths->v);
-
-	argv[0] = sp[script]->v;
+
+	argv[0] = script;
 	argv[1] = script_names[name];
 	argv[2] = NULL;
 
@@ -3066,8 +3156,8 @@
 	default:
 		break;
 	}	
-
 	return 0;
+
 }
 
 void
@@ -3140,7 +3230,11 @@
 			continue;
 		}
 
-		/* check in/outbound SAs */
+		/*
+		 * check in/outbound SAs.
+		 * Select only SAs where src == local and dst == remote (outgoing)
+		 * or src == remote and dst == local (incoming).
+		 */
 		if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
 			(CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
 			msg = next;
@@ -3222,236 +3316,251 @@
 delete_spd(iph2)
 	struct ph2handle *iph2;
 {
+	struct policyindex spidx;
+	struct sockaddr_storage addr;
+	u_int8_t pref;
+	struct sockaddr *src;
+	struct sockaddr *dst;
+	int error;
+	int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
+
 	if (iph2 == NULL)
 		return;
 
 	/* Delete the SPD entry if we generated it
 	 */
-	if (iph2->generated_spidx) {
-		struct policyindex spidx;
-		struct sockaddr_storage addr;
-		u_int8_t pref;
-		struct sockaddr *src = iph2->src;
-		struct sockaddr *dst = iph2->dst;
-		int error;
-		int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
-
-		plog(LLV_INFO, LOCATION, NULL,
-			 "generated policy, deleting it.\n");
+	if (! iph2->generated_spidx )
+		return;
+
+	src = iph2->src;
+	dst = iph2->dst;
+
+	plog(LLV_INFO, LOCATION, NULL,
+		 "generated policy, deleting it.\n");
 		
-		memset(&spidx, 0, sizeof(spidx));
-		iph2->spidx_gen = (caddr_t )&spidx;
+	memset(&spidx, 0, sizeof(spidx));
+	iph2->spidx_gen = (caddr_t )&spidx;
 		
-		/* make inbound policy */
-		iph2->src = dst;
-		iph2->dst = src;
-		spidx.dir = IPSEC_DIR_INBOUND;
-		spidx.ul_proto = 0;
+	/* make inbound policy */
+	iph2->src = dst;
+	iph2->dst = src;
+	spidx.dir = IPSEC_DIR_INBOUND;
+	spidx.ul_proto = 0;
 		
-		/* 
-		 * Note: code from get_proposal_r
-		 */
+	/* 
+	 * Note: code from get_proposal_r
+	 */
 		
 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
 		
-		/*
-		 * make destination address in spidx from either ID payload
-		 * or phase 1 address into a address in spidx.
-		 */
-		if (iph2->id != NULL
-			&& (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
+	/*
+	 * make destination address in spidx from either ID payload
+	 * or phase 1 address into a address in spidx.
+	 */
+	if (iph2->id != NULL
+		&& (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
 			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
 			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
 			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
-			/* get a destination address of a policy */
-			error = ipsecdoi_id2sockaddr(iph2->id,
-			    (struct sockaddr *)&spidx.dst,
-			    &spidx.prefd, &spidx.ul_proto);
-			if (error)
-				goto purge;
+		/* get a destination address of a policy */
+		error = ipsecdoi_id2sockaddr(iph2->id,
+									 (struct sockaddr *)&spidx.dst,
+									 &spidx.prefd, &spidx.ul_proto);
+		if (error)
+			goto purge;
 			
 #ifdef INET6
-			/*
-			 * get scopeid from the SA address.
-			 * note that the phase 1 source address is used as
-			 * a destination address to search for a inbound 
-			 * policy entry because rcoon is responder.
-			 */
-			if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
-				if ((error = 
-				    setscopeid((struct sockaddr *)&spidx.dst,
-				   iph2->src)) != 0)
-					goto purge;
-			}
+		/*
+		 * get scopeid from the SA address.
+		 * note that the phase 1 source address is used as
+		 * a destination address to search for a inbound 
+		 * policy entry because rcoon is responder.
+		 */
+		if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
+			if ((error = 
+				 setscopeid((struct sockaddr *)&spidx.dst,
+							iph2->src)) != 0)
+				goto purge;
+		}
 #endif
 			
-			if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
-				|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
-				idi2type = _XIDT(iph2->id);
+		if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
+			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
+			idi2type = _XIDT(iph2->id);
 			
-		} else {
+	} else {
 			
-			plog(LLV_DEBUG, LOCATION, NULL,
-				 "get a destination address of SP index "
-				 "from phase1 address "
-				 "due to no ID payloads found "
-				 "OR because ID type is not address.\n");
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "get a destination address of SP index "
+			 "from phase1 address "
+			 "due to no ID payloads found "
+			 "OR because ID type is not address.\n");
 			
-			/*
-			 * copy the SOURCE address of IKE into the 
-			 * DESTINATION address of the key to search the 
-			 * SPD because the direction of policy is inbound.
-			 */
-			memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
-			switch (spidx.dst.ss_family) {
-				case AF_INET:
-					spidx.prefd = 
-					    sizeof(struct in_addr) << 3;
-					break;
+		/*
+		 * copy the SOURCE address of IKE into the 
+		 * DESTINATION address of the key to search the 
+		 * SPD because the direction of policy is inbound.
+		 */
+		memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
+		switch (spidx.dst.ss_family) {
+		case AF_INET:
+			spidx.prefd = 
+				sizeof(struct in_addr) << 3;
+			break;
 #ifdef INET6
-				case AF_INET6:
-					spidx.prefd = 
-					    sizeof(struct in6_addr) << 3;
-					break;
+		case AF_INET6:
+			spidx.prefd = 
+				sizeof(struct in6_addr) << 3;
+			break;
 #endif
-				default:
-					spidx.prefd = 0;
-					break;
-			}
+		default:
+			spidx.prefd = 0;
+			break;
 		}
+	}
 					
-		/* make source address in spidx */
-		if (iph2->id_p != NULL
-			&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
+	/* make source address in spidx */
+	if (iph2->id_p != NULL
+		&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
 			|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
 			|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
 			|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
-			/* get a source address of inbound SA */
-			error = ipsecdoi_id2sockaddr(iph2->id_p,
-			    (struct sockaddr *)&spidx.src,
-			    &spidx.prefs, &spidx.ul_proto);
-			if (error)
-				goto purge;
+		/* get a source address of inbound SA */
+		error = ipsecdoi_id2sockaddr(iph2->id_p,
+									 (struct sockaddr *)&spidx.src,
+									 &spidx.prefs, &spidx.ul_proto);
+		if (error)
+			goto purge;
 
 #ifdef INET6
-			/*
-			 * get scopeid from the SA address.
-			 * for more detail, see above of this function.
-			 */
-			if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
-				error = 
-				    setscopeid((struct sockaddr *)&spidx.src,
-				    iph2->dst);
-				if (error)
-					goto purge;
-			}
+		/*
+		 * get scopeid from the SA address.
+		 * for more detail, see above of this function.
+		 */
+		if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
+			error = 
+				setscopeid((struct sockaddr *)&spidx.src,
+						   iph2->dst);
+			if (error)
+				goto purge;
+		}
 #endif
 
-			/* make id[src,dst] if both ID types are IP address and same */
-			if (_XIDT(iph2->id_p) == idi2type
-				&& spidx.dst.ss_family == spidx.src.ss_family) {
-				iph2->src_id = 
-				    dupsaddr((struct sockaddr *)&spidx.dst);
-				iph2->dst_id = 
-				    dupsaddr((struct sockaddr *)&spidx.src);
+		/* make id[src,dst] if both ID types are IP address and same */
+		if (_XIDT(iph2->id_p) == idi2type
+			&& spidx.dst.ss_family == spidx.src.ss_family) {
+			iph2->src_id = 
+				dupsaddr((struct sockaddr *)&spidx.dst);
+			if (iph2->src_id == NULL) {
+				plog(LLV_ERROR, LOCATION, NULL,
+					 "allocation failed\n");
+				goto purge;
 			}
-
-		} else {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				 "get a source address of SP index "
-				 "from phase1 address "
-				 "due to no ID payloads found "
-				 "OR because ID type is not address.\n");
-
-			/* see above comment. */
-			memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
-			switch (spidx.src.ss_family) {
-				case AF_INET:
-					spidx.prefs = 
-					    sizeof(struct in_addr) << 3;
-					break;
-#ifdef INET6
-				case AF_INET6:
-					spidx.prefs = 
-					    sizeof(struct in6_addr) << 3;
-					break;
-#endif
-				default:
-					spidx.prefs = 0;
-					break;
+			iph2->dst_id = 
+				dupsaddr((struct sockaddr *)&spidx.src);
+			if (iph2->dst_id == NULL) {
+				plog(LLV_ERROR, LOCATION, NULL,
+					 "allocation failed\n");
+				goto purge;
 			}
 		}
 
+	} else {
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "get a source address of SP index "
+			 "from phase1 address "
+			 "due to no ID payloads found "
+			 "OR because ID type is not address.\n");
+
+		/* see above comment. */
+		memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
+		switch (spidx.src.ss_family) {
+		case AF_INET:
+			spidx.prefs = 
+				sizeof(struct in_addr) << 3;
+			break;
+#ifdef INET6
+		case AF_INET6:
+			spidx.prefs = 
+				sizeof(struct in6_addr) << 3;
+			break;
+#endif
+		default:
+			spidx.prefs = 0;
+			break;
+		}
+	}
+
 #undef _XIDT
 
-		plog(LLV_DEBUG, LOCATION, NULL,
-			 "get a src address from ID payload "
-			 "%s prefixlen=%u ul_proto=%u\n",
-			 saddr2str((struct sockaddr *)&spidx.src),
-			 spidx.prefs, spidx.ul_proto);
-		plog(LLV_DEBUG, LOCATION, NULL,
-			 "get dst address from ID payload "
-			 "%s prefixlen=%u ul_proto=%u\n",
-			 saddr2str((struct sockaddr *)&spidx.dst),
-			 spidx.prefd, spidx.ul_proto);
-
-		/*
-		 * convert the ul_proto if it is 0
-		 * because 0 in ID payload means a wild card.
-		 */
-		if (spidx.ul_proto == 0)
-			spidx.ul_proto = IPSEC_ULPROTO_ANY;
+	plog(LLV_DEBUG, LOCATION, NULL,
+		 "get a src address from ID payload "
+		 "%s prefixlen=%u ul_proto=%u\n",
+		 saddr2str((struct sockaddr *)&spidx.src),
+		 spidx.prefs, spidx.ul_proto);
+	plog(LLV_DEBUG, LOCATION, NULL,
+		 "get dst address from ID payload "
+		 "%s prefixlen=%u ul_proto=%u\n",
+		 saddr2str((struct sockaddr *)&spidx.dst),
+		 spidx.prefd, spidx.ul_proto);
+
+	/*
+	 * convert the ul_proto if it is 0
+	 * because 0 in ID payload means a wild card.
+	 */
+	if (spidx.ul_proto == 0)
+		spidx.ul_proto = IPSEC_ULPROTO_ANY;
 
 #undef _XIDT
 
-		/* End of code from get_proposal_r
-		 */
-
-		if (pk_sendspddelete(iph2) < 0) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				 "pfkey spddelete(inbound) failed.\n");
-		}else{
-			plog(LLV_DEBUG, LOCATION, NULL,
-				 "pfkey spddelete(inbound) sent.\n");
-		}
+	/* End of code from get_proposal_r
+	 */
+
+	if (pk_sendspddelete(iph2) < 0) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			 "pfkey spddelete(inbound) failed.\n");
+	}else{
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "pfkey spddelete(inbound) sent.\n");
+	}
 
 #ifdef HAVE_POLICY_FWD
-		/* make forward policy if required */
-		if (tunnel_mode_prop(iph2->approval)) {
-			spidx.dir = IPSEC_DIR_FWD;
-			if (pk_sendspddelete(iph2) < 0) {
-				plog(LLV_ERROR, LOCATION, NULL,
-					 "pfkey spddelete(forward) failed.\n");
-			}else{
-				plog(LLV_DEBUG, LOCATION, NULL,
-					 "pfkey spddelete(forward) sent.\n");
-			}
-		}
-#endif
-
-		/* make outbound policy */
-		iph2->src = src;
-		iph2->dst = dst;
-		spidx.dir = IPSEC_DIR_OUTBOUND;
-		addr = spidx.src;
-		spidx.src = spidx.dst;
-		spidx.dst = addr;
-		pref = spidx.prefs;
-		spidx.prefs = spidx.prefd;
-		spidx.prefd = pref;
-
+	/* make forward policy if required */
+	if (tunnel_mode_prop(iph2->approval)) {
+		spidx.dir = IPSEC_DIR_FWD;
 		if (pk_sendspddelete(iph2) < 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
-				 "pfkey spddelete(outbound) failed.\n");
+				 "pfkey spddelete(forward) failed.\n");
 		}else{
 			plog(LLV_DEBUG, LOCATION, NULL,
-				 "pfkey spddelete(outbound) sent.\n");
+				 "pfkey spddelete(forward) sent.\n");
 		}
+	}
+#endif
+
+	/* make outbound policy */
+	iph2->src = src;
+	iph2->dst = dst;
+	spidx.dir = IPSEC_DIR_OUTBOUND;
+	addr = spidx.src;
+	spidx.src = spidx.dst;
+	spidx.dst = addr;
+	pref = spidx.prefs;
+	spidx.prefs = spidx.prefd;
+	spidx.prefd = pref;
+
+	if (pk_sendspddelete(iph2) < 0) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			 "pfkey spddelete(outbound) failed.\n");
+	}else{
+		plog(LLV_DEBUG, LOCATION, NULL,
+			 "pfkey spddelete(outbound) sent.\n");
+	}
 purge:
-		iph2->spidx_gen=NULL;
-	}
+	iph2->spidx_gen=NULL;
 }
 
+
 #ifdef INET6
 u_int32_t
 setscopeid(sp_addr0, sa_addr0)
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: isakmp.h,v 1.10 2005/01/29 16:34:25 vanhu Exp */
+/* Id: isakmp.h,v 1.11 2005/04/25 22:19:39 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -350,6 +350,8 @@
 #define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE	28
 #define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE	29
 #define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS	30
+#define ISAKMP_NTYPE_MINERROR			1
+#define ISAKMP_NTYPE_MAXERROR			16383
 /* NOTIFY MESSAGES - STATUS TYPES */
 #define ISAKMP_NTYPE_CONNECTED			16384
 /* 4.6.3 IPSEC DOI Notify Message Types */
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_agg.c,v 1.7 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_agg.c,v 1.8 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: isakmp_agg.c,v 1.20.2.5 2005/11/21 09:46:23 vanhu Exp */
+/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,6 +61,10 @@
 #include "schedule.h"
 #include "debug.h"
 
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
+
 #include "localconf.h"
 #include "remoteconf.h"
 #include "isakmp_var.h"
@@ -110,7 +114,7 @@
 {
 	struct payload_list *plist = NULL;
 	int need_cr = 0;
-	vchar_t *cr = NULL, *gsstoken = NULL;
+	vchar_t *cr = NULL; 
 	int error = -1;
 #ifdef ENABLE_NATT
 	vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
@@ -124,6 +128,7 @@
 	vchar_t *vid_frag = NULL;
 #endif
 #ifdef HAVE_GSSAPI
+	vchar_t *gsstoken = NULL;
 	int len;
 #endif
 #ifdef ENABLE_DPD
@@ -175,9 +180,14 @@
 
 #ifdef ENABLE_HYBRID
 	/* Do we need Xauth VID? */
-	switch (iph1->rmconf->proposal->authmethod) {
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+	switch (RMAUTHMETHOD(iph1)) {
+	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
 		if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL, 
 			     "Xauth vendor ID generation failed\n");
@@ -218,10 +228,8 @@
 	plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
 		s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
 #ifdef HAVE_GSSAPI
-	if (iph1->rmconf->proposal->authmethod ==
-	    OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
+	if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
 		gssapi_get_itoken(iph1, &len);
-	}
 #endif
 
 	/* set SA payload to propose */
@@ -237,11 +245,10 @@
 	plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
 
 #ifdef HAVE_GSSAPI
-	if (iph1->rmconf->proposal->authmethod ==
-	    OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
+	if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
 		gssapi_get_token_to_send(iph1, &gsstoken);
 		plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
-	} else
+	}
 #endif
 	/* create isakmp CR payload */
 	if (need_cr)
@@ -293,8 +300,10 @@
 end:
 	if (cr)
 		vfree(cr);
+#ifdef HAVE_GSSAPI
 	if (gsstoken)
 		vfree(gsstoken);
+#endif
 #ifdef ENABLE_FRAG
 	if (vid_frag)
 		vfree(vid_frag);
@@ -303,16 +312,16 @@
 	for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
 		vfree(vid_natt[i]);
 #endif
-#ifdef ENABLE_DPD
-	if (vid_dpd != NULL)
-		vfree(vid_dpd);
-#endif
 #ifdef ENABLE_HYBRID
 	if (vid_xauth != NULL)
 		vfree(vid_xauth);
 	if (vid_unity != NULL)
 		vfree(vid_unity);
 #endif
+#ifdef ENABLE_DPD
+	if (vid_dpd != NULL)
+		vfree(vid_dpd);
+#endif
 
 	return error;
 }
@@ -595,6 +604,10 @@
 	error = 0;
 
 end:
+#ifdef HAVE_GSSAPI
+	if (gsstoken)
+		vfree(gsstoken);
+#endif
 	if (pbuf)
 		vfree(pbuf);
 	if (satmp)
@@ -645,28 +658,35 @@
 	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
 	if (iph1->hash == NULL) {
 #ifdef HAVE_GSSAPI
-		if (gssapi_more_tokens(iph1))
+		if (gssapi_more_tokens(iph1) &&
+#ifdef ENABLE_HYBRID
+		    !iph1->rmconf->xauth &&
+#endif
+		    1)
 			isakmp_info_send_n1(iph1,
 			    ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
 #endif
 		goto end;
 	}
 
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
 #ifdef ENABLE_HYBRID
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
 #endif  
 		/* set HASH payload */
-		plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
+		plist = isakmp_plist_append(plist, 
+		    iph1->hash, ISAKMP_NPTYPE_HASH);
 		break;
+
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif  
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+#endif
 		/* XXX if there is CR or not ? */
 
 		if (oakley_getmycert(iph1) < 0)
@@ -680,14 +700,20 @@
 
 		/* add CERT payload if there */
 		if (need_cert)
-			plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
+			plist = isakmp_plist_append(plist, 
+			    iph1->cert->pl, ISAKMP_NPTYPE_CERT);
 
 		/* add SIG payload */
-		plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
+		plist = isakmp_plist_append(plist, 
+		    iph1->sig, ISAKMP_NPTYPE_SIG);
 		break;
 
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+#endif
 		break;
 #ifdef HAVE_GSSAPI
 	case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
@@ -700,37 +726,38 @@
 			goto end;
 		}
 
-		plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
+		plist = isakmp_plist_append(plist, 
+		    gsshash, ISAKMP_NPTYPE_HASH);
 		break;
 #endif
-	default:
-		plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
-			iph1->approval->authmethod);
-		goto end;
-		break;
 	}
 
 #ifdef ENABLE_NATT
 	/* generate NAT-D payloads */
-	if (NATT_AVAILABLE(iph1))
-	{
+	if (NATT_AVAILABLE(iph1)) {
 		vchar_t *natd[2] = { NULL, NULL };
 
-		plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
+		plog(LLV_INFO, LOCATION, 
+		    NULL, "Adding remote and local NAT-D payloads.\n");
+
 		if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
-				"NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+			    "NAT-D hashing failed for %s\n", 
+			    saddr2str(iph1->remote));
 			goto end;
 		}
 
 		if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
-				"NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+			    "NAT-D hashing failed for %s\n", 
+			    saddr2str(iph1->local));
 			goto end;
 		}
 
-		plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
-		plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
+		plist = isakmp_plist_append(plist, 
+		    natd[0], iph1->natt_options->payload_nat_d);
+		plist = isakmp_plist_append(plist, 
+		    natd[1], iph1->natt_options->payload_nat_d);
 	}
 #endif
 
@@ -932,6 +959,10 @@
 	error = 0;
 
 end:
+#ifdef HAVE_GSSAPI
+	if (gsstoken)
+		vfree(gsstoken);
+#endif
 	if (pbuf)
 		vfree(pbuf);
 	if (error) {
@@ -976,11 +1007,15 @@
 #ifdef ENABLE_DPD
 	vchar_t *vid_dpd = NULL;
 #endif
+#ifdef ENABLE_FRAG
+	vchar_t *vid_frag = NULL;
+#endif
 
 #ifdef HAVE_GSSAPI
 	int gsslen;
 	vchar_t *gsstoken = NULL, *gsshash = NULL;
 	vchar_t *gss_sa = NULL;
+	int free_gss_sa = 0;
 #endif
 
 	/* validity check */
@@ -1023,8 +1058,7 @@
 		goto end;
 
 #ifdef HAVE_GSSAPI
-	if (iph1->rmconf->proposal->authmethod ==	
-	    OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
+	if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
 		gssapi_get_rtoken(iph1, &gsslen);
 #endif
 
@@ -1079,37 +1113,60 @@
 	if (iph1->dpd_support && iph1->rmconf->dpd)
 		vid_dpd = set_vendorid(VENDORID_DPD);
 #endif
+#ifdef ENABLE_FRAG
+	if (iph1->frag) {
+		vid_frag = set_vendorid(VENDORID_FRAG);
+		if (vid_frag != NULL)
+			vid_frag = isakmp_frag_addcap(vid_frag,
+			    VENDORID_FRAG_AGG);
+		if (vid_frag == NULL)
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Frag vendorID construction failed\n");
+	}
+#endif
 
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+#endif
 		/* set SA payload to reply */
-		plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
+		plist = isakmp_plist_append(plist, 
+		    iph1->sa_ret, ISAKMP_NPTYPE_SA);
 
 		/* create isakmp KE payload */
-		plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->dhpub, ISAKMP_NPTYPE_KE);
 
 		/* create isakmp NONCE payload */
-		plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->nonce, ISAKMP_NPTYPE_NONCE);
 
 		/* create isakmp ID payload */
-		plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
+		plist = isakmp_plist_append(plist, 
+		    iph1->id, ISAKMP_NPTYPE_ID);
 
 		/* create isakmp HASH payload */
-		plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
+		plist = isakmp_plist_append(plist, 
+		    iph1->hash, ISAKMP_NPTYPE_HASH);
 
 		/* append vendor id, if needed */
 		if (vid)
-			plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
+			plist = isakmp_plist_append(plist, 
+			    vid, ISAKMP_NPTYPE_VID);
 
 		/* create isakmp CR payload if needed */
 		if (need_cr)
-			plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
+			plist = isakmp_plist_append(plist, 
+			    cr, ISAKMP_NPTYPE_CR);
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
 #endif
 		/* XXX if there is CR or not ? */
 
@@ -1123,30 +1180,111 @@
 			need_cert = 1;
 
 		/* set SA payload to reply */
-		plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
+		plist = isakmp_plist_append(plist, 
+		    iph1->sa_ret, ISAKMP_NPTYPE_SA);
 
 		/* create isakmp KE payload */
-		plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->dhpub, ISAKMP_NPTYPE_KE);
 
 		/* create isakmp NONCE payload */
-		plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->nonce, ISAKMP_NPTYPE_NONCE);
 
 		/* add ID payload */
-		plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
+		plist = isakmp_plist_append(plist, 
+		    iph1->id, ISAKMP_NPTYPE_ID);
 
 		/* add CERT payload if there */
 		if (need_cert)
-			plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
+			plist = isakmp_plist_append(plist, 
+			    iph1->cert->pl, ISAKMP_NPTYPE_CERT);
 
 		/* add SIG payload */
-		plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
+		plist = isakmp_plist_append(plist, 
+		    iph1->sig, ISAKMP_NPTYPE_SIG);
 
 		/* append vendor id, if needed */
 		if (vid)
-			plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
+			plist = isakmp_plist_append(plist, 
+			    vid, ISAKMP_NPTYPE_VID);
+
+		/* create isakmp CR payload if needed */
+		if (need_cr)
+			plist = isakmp_plist_append(plist, 
+			    cr, ISAKMP_NPTYPE_CR);
+		break;
+
+	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
+	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+#endif
+		break;
+#ifdef HAVE_GSSAPI
+	case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
+			/* create buffer to send isakmp payload */
+			gsshash = gssapi_wraphash(iph1);
+			if (gsshash == NULL) {
+				plog(LLV_ERROR, LOCATION, NULL,
+					"failed to wrap hash\n");
+				/*
+				 * This is probably due to the GSS 
+				 * roundtrips not being finished yet. 
+				 * Return this error in the hope that 
+				 * a fallback to main mode will be done.
+				 */
+				isakmp_info_send_n1(iph1,
+				    ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
+				goto end;
+			}
+			if (iph1->approval->gssid != NULL)
+				gss_sa = 
+				    ipsecdoi_setph1proposal(iph1->approval);  
+			else
+				gss_sa = iph1->sa_ret;
+
+			if (gss_sa != iph1->sa_ret)
+				free_gss_sa = 1;
+
+			/* set SA payload to reply */
+			plist = isakmp_plist_append(plist, 
+			    gss_sa, ISAKMP_NPTYPE_SA);
+
+			/* create isakmp KE payload */
+			plist = isakmp_plist_append(plist, 
+			    iph1->dhpub, ISAKMP_NPTYPE_KE);
+
+			/* create isakmp NONCE payload */
+			plist = isakmp_plist_append(plist, 
+			    iph1->nonce, ISAKMP_NPTYPE_NONCE);
+
+			/* create isakmp ID payload */
+			plist = isakmp_plist_append(plist, 
+			    iph1->id, ISAKMP_NPTYPE_ID);
+
+			/* create GSS payload */
+			gssapi_get_token_to_send(iph1, &gsstoken);
+			plist = isakmp_plist_append(plist, 
+			    gsstoken, ISAKMP_NPTYPE_GSS);
+
+			/* create isakmp HASH payload */
+			plist = isakmp_plist_append(plist, 
+			    gsshash, ISAKMP_NPTYPE_HASH);
+
+			/* append vendor id, if needed */
+			if (vid)
+				plist = isakmp_plist_append(plist, 
+				    vid, ISAKMP_NPTYPE_VID);
+
+			break;
+#endif
+	}
 
 #ifdef ENABLE_HYBRID
 	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
+		plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
 		if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
 			    "Cannot create Xauth vendor ID\n");
@@ -1167,68 +1305,6 @@
 	}
 #endif
 
-		/* create isakmp CR payload if needed */
-		if (need_cr)
-			plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
-		break;
-
-	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
-	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-		break;
-#ifdef HAVE_GSSAPI
-	case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-		/* create buffer to send isakmp payload */
-		gsshash = gssapi_wraphash(iph1);
-		if (gsshash == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to wrap hash\n");
-			/*
-			 * This is probably due to the GSS roundtrips not
-			 * being finished yet. Return this error in
-			 * the hope that a fallback to main mode will
-			 * be done.
-			 */
-			isakmp_info_send_n1(iph1,
-			    ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
-			goto end;
-		}
-		if (iph1->approval->gssid != NULL)
-			gss_sa = ipsecdoi_setph1proposal(iph1->approval);  
-		else
-			gss_sa = iph1->sa_ret;
-
-		/* set SA payload to reply */
-		plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
-
-		/* create isakmp KE payload */
-		plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
-
-		/* create isakmp NONCE payload */
-		plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
-		/* create isakmp ID payload */
-		plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
-
-		/* create GSS payload */
-		gssapi_get_token_to_send(iph1, &gsstoken);
-		plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
-
-		/* create isakmp HASH payload */
-		plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
-
-		/* append vendor id, if needed */
-		if (vid)
-			plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
-
-		break;
-#endif
-	default:
-		plog(LLV_ERROR, LOCATION, NULL, "Invalid authmethod %d\n",
-			iph1->approval->authmethod);
-		goto end;
-		break;
-	}
-
 #ifdef ENABLE_NATT
 	/* append NAT-T payloads */
 	if (vid_natt) {
@@ -1239,6 +1315,12 @@
 		plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
 	}
 #endif
+
+#ifdef ENABLE_FRAG
+	if (vid_frag)
+		plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
+#endif
+
 #ifdef ENABLE_DPD
 	if (vid_dpd)
 		plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
@@ -1282,13 +1364,17 @@
 		vfree(gsstoken);
 	if (gsshash)
 		vfree(gsshash);
-	if (gss_sa != iph1->sa_ret)
+	if (free_gss_sa)
 		vfree(gss_sa);
 #endif
 #ifdef ENABLE_DPD
 	if (vid_dpd)
 		vfree(vid_dpd);
 #endif
+#ifdef ENABLE_FRAG
+	if (vid_frag)
+		vfree(vid_frag);
+#endif
 
 	return error;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_agg.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_agg.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: isakmp_agg.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_base.c,v 1.5 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_base.c,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $	*/
 
@@ -61,6 +61,10 @@
 #include "schedule.h"
 #include "debug.h"
 
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
+
 #include "localconf.h"
 #include "remoteconf.h"
 #include "isakmp_var.h"
@@ -80,6 +84,10 @@
 #ifdef ENABLE_FRAG
 #include "isakmp_frag.h"
 #endif
+#ifdef ENABLE_HYBRID
+#include "isakmp_xauth.h"
+#include "isakmp_cfg.h"
+#endif
 
 /* %%%
  * begin Identity Protection Mode as initiator.
@@ -105,6 +113,14 @@
 #ifdef ENABLE_FRAG
 	vchar_t *vid_frag = NULL;
 #endif
+#ifdef ENABLE_HYBRID
+	vchar_t *vid_xauth = NULL;
+	vchar_t *vid_unity = NULL;
+#endif
+#ifdef ENABLE_DPD
+	vchar_t *vid_dpd = NULL;
+#endif
+
 
 	/* validity check */
 	if (msg != NULL) {
@@ -136,6 +152,28 @@
 	if (iph1->nonce == NULL)
 		goto end;
 
+#ifdef ENABLE_HYBRID
+        /* Do we need Xauth VID? */
+        switch (RMAUTHMETHOD(iph1)) {
+        case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+                if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
+                        plog(LLV_ERROR, LOCATION, NULL,
+                             "Xauth vendor ID generation failed\n");
+
+                if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
+                        plog(LLV_ERROR, LOCATION, NULL,
+                             "Unity vendor ID generation failed\n");
+                break;
+        default:
+                break;
+        }
+#endif
 #ifdef ENABLE_FRAG
 	if (iph1->rmconf->ike_frag) {
 		vid_frag = set_vendorid(VENDORID_FRAG);
@@ -184,13 +222,28 @@
 	if (vid_frag)
 		plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
 #endif
+#ifdef ENABLE_HYBRID
+	if (vid_xauth)
+		plist = isakmp_plist_append(plist, 
+		    vid_xauth, ISAKMP_NPTYPE_VID);
+	if (vid_unity)
+		plist = isakmp_plist_append(plist, 
+		    vid_unity, ISAKMP_NPTYPE_VID);
+#endif
+#ifdef ENABLE_DPD
+	if (iph1->rmconf->dpd) {
+		vid_dpd = set_vendorid(VENDORID_DPD);
+		if (vid_dpd != NULL)
+			plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 
+	}
+#endif  
 #ifdef ENABLE_NATT
 	/* set VID payload for NAT-T */
 	for (i = 0; i < vid_natt_i; i++)
 		plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
-
+#endif
 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-#endif
+
 
 #ifdef HAVE_PRINT_ISAKMP_C
 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
@@ -214,6 +267,16 @@
 	for (i = 0; i < vid_natt_i; i++)
 		vfree(vid_natt[i]);
 #endif
+#ifdef ENABLE_HYBRID    
+	if (vid_xauth != NULL)
+		vfree(vid_xauth);
+	if (vid_unity != NULL) 
+		vfree(vid_unity);
+#endif 
+#ifdef ENABLE_DPD
+	if (vid_dpd != NULL)    
+		vfree(vid_dpd);
+#endif     
 
 	return error;
 }
@@ -235,6 +298,10 @@
 	vchar_t *satmp = NULL;
 	int error = -1;
 	int vid_numeric;
+#ifdef ENABLE_HYBRID
+	vchar_t *unity_vid;
+	vchar_t *xauth_vid;
+#endif
 
 	/* validity check */
 	if (iph1->status != PHASE1ST_MSG1SENT) {
@@ -280,6 +347,29 @@
 			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
 			  natt_handle_vendorid(iph1, vid_numeric);
 #endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+
+			default:
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
+				iph1->dpd_support=1;
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "remote supports DPD\n");
+			}
+#endif
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -372,10 +462,21 @@
 		goto end;
 
 	/* generate SKEYID to compute hash if not signature mode */
-	if (iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_RSASIG
-	 && iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_DSSSIG) {
+	switch (AUTHMETHOD(iph1)) {
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+#endif
+		break;
+	default:
 		if (oakley_skeyid(iph1) < 0)
 			goto end;
+		break;
 	}
 
 	/* generate HASH to send */
@@ -383,9 +484,13 @@
 	iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE);
 	if (iph1->hash == NULL)
 		goto end;
-
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+#endif
 		vid = set_vendorid(iph1->approval->vendorid);
 
 		/* create isakmp KE payload */
@@ -400,6 +505,10 @@
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+#endif
 		/* XXX if there is CR or not ? */
 
 		if (oakley_getmycert(iph1) < 0)
@@ -412,25 +521,30 @@
 			need_cert = 1;
 
 		/* create isakmp KE payload */
-		plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->dhpub, ISAKMP_NPTYPE_KE);
 
 		/* add CERT payload if there */
 		if (need_cert)
-			plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
+			plist = isakmp_plist_append(plist, 
+			    iph1->cert->pl, ISAKMP_NPTYPE_CERT);
 
 		/* add SIG payload */
-		plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
+		plist = isakmp_plist_append(plist, 
+		    iph1->sig, ISAKMP_NPTYPE_SIG);
+
 		break;
+#ifdef HAVE_GSSAPI
 	case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
 		/* ... */
 		break;
+#endif
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-		break;
-	default:
-		plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
-			iph1->approval->authmethod);
-		goto end;
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+#endif
 		break;
 	}
 
@@ -614,10 +728,21 @@
 		goto end;
 
 	/* generate SKEYID to compute hash if signature mode */
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_RSASIG
-	 || iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_DSSSIG) {
+	switch (AUTHMETHOD(iph1)) {
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+#endif
 		if (oakley_skeyid(iph1) < 0)
 			goto end;
+		break;
+	default:
+		break;
 	}
 
 	/* generate SKEYIDs & IV & final cipher key */
@@ -748,6 +873,29 @@
 			    (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
 				iph1->frag = 1;
 #endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+
+			default:
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
+				iph1->dpd_support=1;
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "remote supports DPD\n");
+			}
+#endif 
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -821,6 +969,16 @@
 #ifdef ENABLE_NATT
 	vchar_t *vid_natt = NULL;
 #endif
+#ifdef ENABLE_HYBRID    
+        vchar_t *vid_xauth = NULL;
+        vchar_t *vid_unity = NULL;
+#endif  
+#ifdef ENABLE_FRAG
+	vchar_t *vid_frag = NULL;
+#endif
+#ifdef ENABLE_DPD
+	vchar_t *vid_dpd = NULL;
+#endif  
 
 	/* validity check */
 	if (iph1->status != PHASE1ST_MSG1RECEIVED) {
@@ -857,6 +1015,56 @@
 	if (vid_natt)
 		plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
 #endif
+#ifdef ENABLE_HYBRID
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
+		plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
+		if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Cannot create Xauth vendor ID\n");
+			goto end;
+		}
+		plist = isakmp_plist_append(plist,
+		    vid_xauth, ISAKMP_NPTYPE_VID);
+	}
+
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
+		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Cannot create Unity vendor ID\n");
+			goto end;
+		}
+		plist = isakmp_plist_append(plist,
+		    vid_unity, ISAKMP_NPTYPE_VID);
+	}
+#endif
+#ifdef ENABLE_DPD
+	/* 
+	 * Only send DPD support if remote announced DPD 
+	 * and if DPD support is active 
+	 */
+	if (iph1->dpd_support && iph1->rmconf->dpd) {
+		if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "DPD vendorID construction failed\n");
+		} else {
+			plist = isakmp_plist_append(plist, vid_dpd,
+			    ISAKMP_NPTYPE_VID);
+		}
+	}
+#endif
+#ifdef ENABLE_FRAG
+	if (iph1->rmconf->ike_frag) {
+		if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Frag vendorID construction failed\n");
+		} else {
+			vid_frag = isakmp_frag_addcap(vid_frag,
+			    VENDORID_FRAG_BASE);
+			plist = isakmp_plist_append(plist,
+			    vid_frag, ISAKMP_NPTYPE_VID);
+		}
+	}
+#endif
 
 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
 
@@ -885,6 +1093,20 @@
 	if (vid_natt)
 		vfree(vid_natt);
 #endif
+#ifdef ENABLE_HYBRID    
+	if (vid_xauth != NULL)
+		vfree(vid_xauth);
+	if (vid_unity != NULL)
+		vfree(vid_unity);
+#endif    
+#ifdef ENABLE_FRAG
+	if (vid_frag)
+		vfree(vid_frag);
+#endif
+#ifdef ENABLE_DPD
+	if (vid_dpd)
+		vfree(vid_dpd);
+#endif
 
 	VPTRINIT(iph1->sa_ret);
 
@@ -1069,15 +1291,30 @@
 
 	/* generate HASH to send */
 	plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+#endif
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+#endif
 		iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+#endif
+#ifdef HAVE_GSSAPI
 	case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
+#endif
 		iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE);
 		break;
 	default:
@@ -1089,22 +1326,34 @@
 	if (iph1->hash == NULL)
 		goto end;
 
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+#endif
 		vid = set_vendorid(iph1->approval->vendorid);
 
 		/* create isakmp KE payload */
-		plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->dhpub, ISAKMP_NPTYPE_KE);
 
 		/* create isakmp HASH payload */
-		plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
+		plist = isakmp_plist_append(plist, 
+		    iph1->hash, ISAKMP_NPTYPE_HASH);
 
 		/* append vendor id, if needed */
 		if (vid)
-			plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
+			plist = isakmp_plist_append(plist, 
+			    vid, ISAKMP_NPTYPE_VID);
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+#endif
 		/* XXX if there is CR or not ? */
 
 		if (oakley_getmycert(iph1) < 0)
@@ -1117,52 +1366,60 @@
 			need_cert = 1;
 
 		/* create isakmp KE payload */
-		plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
+		plist = isakmp_plist_append(plist, 
+		    iph1->dhpub, ISAKMP_NPTYPE_KE);
 
 		/* add CERT payload if there */
 		if (need_cert)
-			plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
+			plist = isakmp_plist_append(plist, 
+			    iph1->cert->pl, ISAKMP_NPTYPE_CERT);
 		/* add SIG payload */
-		plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
+		plist = isakmp_plist_append(plist, 
+		    iph1->sig, ISAKMP_NPTYPE_SIG);
 		break;
+#ifdef HAVE_GSSAPI
 	case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
 		/* ... */
 		break;
+#endif
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-		break;
-	default:
-		plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
-			iph1->approval->authmethod);
-		goto end;
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+#endif
 		break;
 	}
 
 #ifdef ENABLE_NATT
 	/* generate NAT-D payloads */
-	if (NATT_AVAILABLE(iph1))
-	{
+	if (NATT_AVAILABLE(iph1)) {
 		vchar_t *natd[2] = { NULL, NULL };
 
-		plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
-		if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
+		plog(LLV_INFO, LOCATION, 
+		    NULL, "Adding remote and local NAT-D payloads.\n");
+		if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
-				"NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+			    "NAT-D hashing failed for %s\n", 
+			    saddr2str(iph1->remote));
 			goto end;
 		}
 
-		if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
+		if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
-				"NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+			    "NAT-D hashing failed for %s\n", 
+			    saddr2str(iph1->local));
 			goto end;
 		}
 
-		plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
-		plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
+		plist = isakmp_plist_append(plist, 
+		    natd[0], iph1->natt_options->payload_nat_d);
+		plist = isakmp_plist_append(plist, 
+		    natd[1], iph1->natt_options->payload_nat_d);
 	}
 #endif
 
-	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
+	iph1->sendbuf = isakmp_plist_set_all(&plist, iph1);
 
 #ifdef HAVE_PRINT_ISAKMP_C
 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_base.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_base.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: isakmp_base.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.10 2006/01/07 23:51:50 manu Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.11 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: isakmp_cfg.c,v 1.26.2.6 2005/09/23 14:29:45 manubsd Exp */
+/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
 /*
  * Copyright (C) 2004-2006 Emmanuel Dreyfus
@@ -38,6 +38,18 @@
 #include <sys/socket.h>
 #include <sys/queue.h>
 
+#include <utmp.h>
+#if defined(__APPLE__) && defined(__MACH__)
+#include <util.h>
+#endif
+
+#ifdef __FreeBSD__
+# include <libutil.h>
+#endif
+#ifdef __NetBSD__
+#  include <util.h>
+#endif
+
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
@@ -59,7 +71,11 @@
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
+#if HAVE_STDINT_H
+#include <stdint.h>
+#endif
 #include <ctype.h>
+#include <resolv.h>
 
 #ifdef HAVE_LIBRADIUS
 #include <sys/utsname.h>
@@ -89,21 +105,7 @@
 #include "admin.h"
 #include "privsep.h"
 
-struct isakmp_cfg_config isakmp_cfg_config = {
-	0x00000000, 	/* network4 */
-	0x00000000,	/* netmask4 */
-	0x00000000,	/* dns4 */
-	0x00000000,	/* nbns4 */
-	NULL,		/* pool */
-	ISAKMP_CFG_AUTH_SYSTEM,		/* authsource */
-	ISAKMP_CFG_CONF_LOCAL,		/* confsource */
-	ISAKMP_CFG_ACCT_NONE,		/* accounting */
-	ISAKMP_CFG_MAX_CNX,		/* pool_size */
-	THROTTLE_PENALTY,		/* auth_throttle */
-	ISAKMP_CFG_MOTD,		/* motd */
-	0,				/* pfs_group */
-	0,				/* save_passwd */
-};
+struct isakmp_cfg_config isakmp_cfg_config;
 
 static vchar_t *buffer_cat(vchar_t *s, vchar_t *append);
 static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *);
@@ -113,6 +115,12 @@
 static vchar_t *isakmp_cfg_addr4(struct ph1handle *, 
 				 struct isakmp_data *, in_addr_t *);
 static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
+static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
+				      struct isakmp_data *, in_addr_t *, int);
+static void isakmp_cfg_appendaddr4(struct isakmp_data *, 
+				   struct in_addr *, int *, int);
+static void isakmp_cfg_getstring(struct isakmp_data *,char *);
+void isakmp_cfg_iplist_to_str(char *, int, void *, int);
 
 #define ISAKMP_CFG_LOGIN	1
 #define ISAKMP_CFG_LOGOUT	2
@@ -157,7 +165,8 @@
 	 * Decrypt the packet. If this is the beginning of a new
 	 * exchange, reinitialize the IV
 	 */
-	if (iph1->mode_cfg->ivm == NULL)
+	if (iph1->mode_cfg->ivm == NULL ||
+	    iph1->mode_cfg->last_msgid != packet->msgid )
 		iph1->mode_cfg->ivm = 
 		    isakmp_cfg_newiv(iph1, packet->msgid);
 	ivm = iph1->mode_cfg->ivm;
@@ -267,6 +276,8 @@
 {
 	int type = attrpl->type;
 
+	plog(LLV_DEBUG, LOCATION, NULL,
+	     "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
 	switch (type) {
 	case ISAKMP_CFG_ACK:
 		/* ignore, but this is the time to reinit the IV */
@@ -310,6 +321,7 @@
 	char *npp;
 	int type;
 	struct sockaddr_in *sin;
+	int error;
 
 	tlen = ntohs(attrpl->h.len);
 	attr = (struct isakmp_data *)(attrpl + 1);
@@ -323,17 +335,20 @@
 			type &= ~ISAKMP_GEN_MASK;
 
 			plog(LLV_DEBUG, LOCATION, NULL,
-			     "Short attribute %d = %d\n", 
-			     type, ntohs(attr->lorv));
+			     "Short attribute %s = %d\n", 
+			     s_isakmp_cfg_type(type), ntohs(attr->lorv));
 
 			switch (type) {
 			case XAUTH_TYPE:
-				xauth_attr_reply(iph1, attr, ntohs(attrpl->id));
+				if ((error = xauth_attr_reply(iph1, 
+				    attr, ntohs(attrpl->id))) != 0)
+					return error;
 				break;
 
 			default:
 				plog(LLV_WARNING, LOCATION, NULL,
-				     "Ignored short attribute %d\n", type);
+				     "Ignored short attribute %s\n",
+				     s_isakmp_cfg_type(type));
 				break;
 			}
 
@@ -348,12 +363,14 @@
 		/* Check that the attribute fit in the packet */
 		if (tlen < alen) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			     "Short attribute %d\n", type);
+			     "Short attribute %s\n",
+			     s_isakmp_cfg_type(type));
 			return -1;
 		}
 
 		plog(LLV_DEBUG, LOCATION, NULL,
-		     "Attribute %d, len %zu\n", type, alen);
+		     "Attribute %s, len %zu\n", 
+		     s_isakmp_cfg_type(type), alen);
 
 		switch(type) {
 		case XAUTH_TYPE:
@@ -366,7 +383,9 @@
 		case XAUTH_STATUS:
 		case XAUTH_NEXT_PIN:
 		case XAUTH_ANSWER:
-			xauth_attr_reply(iph1, attr, ntohs(attrpl->id));
+			if ((error = xauth_attr_reply(iph1, 
+			    attr, ntohs(attrpl->id))) != 0)
+				return error;
 			break;
 		case INTERNAL_IP4_ADDRESS:
 			isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4);
@@ -377,28 +396,40 @@
 			iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4;
 			break;
 		case INTERNAL_IP4_DNS:
-			isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->dns4);
+			isakmp_cfg_appendaddr4(attr, 
+			    &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index],
+			    &iph1->mode_cfg->dns4_index, MAXNS);
 			iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4;
 			break;
 		case INTERNAL_IP4_NBNS:
-			isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->wins4);
+			isakmp_cfg_appendaddr4(attr, 
+			    &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index],
+			    &iph1->mode_cfg->wins4_index, MAXNS);
 			iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4;
 			break;
-		case INTERNAL_IP4_SUBNET:
-		case INTERNAL_ADDRESS_EXPIRY:
+		case UNITY_DEF_DOMAIN:
+			isakmp_cfg_getstring(attr, 
+			    iph1->mode_cfg->default_domain);
+			iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN;
+			break;
+		case UNITY_SPLIT_INCLUDE:
+		case UNITY_LOCAL_LAN:
+		case UNITY_SPLITDNS_NAME:
 		case UNITY_BANNER:
 		case UNITY_SAVE_PASSWD:
-		case UNITY_DEF_DOMAIN:
-		case UNITY_SPLITDNS_NAME:
-		case UNITY_SPLIT_INCLUDE:
 		case UNITY_NATT_PORT:
 		case UNITY_PFS:
 		case UNITY_FW_TYPE:
 		case UNITY_BACKUP_SERVERS:
 		case UNITY_DDNS_HOSTNAME:
+			isakmp_unity_reply(iph1, attr);
+			break;
+		case INTERNAL_IP4_SUBNET:
+		case INTERNAL_ADDRESS_EXPIRY:
 		default:
 			plog(LLV_WARNING, LOCATION, NULL,
-			     "Ignored attribute %d\n", type);
+			     "Ignored attribute %s\n",
+			     s_isakmp_cfg_type(type));
 			break;
 		}
 
@@ -412,9 +443,25 @@
 	 * It is done at the end of phase 1 if ISAKMP mode config is not
 	 * requested.
 	 */
+	
 	if ((iph1->status == PHASE1ST_ESTABLISHED) && 
-	    iph1->rmconf->mode_cfg)
-		script_hook(iph1, SCRIPT_PHASE1_UP);
+	    iph1->rmconf->mode_cfg) {
+		switch (AUTHMETHOD(iph1)) {
+		case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+		/* Unimplemented */
+		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
+			script_hook(iph1, SCRIPT_PHASE1_UP);
+			break;
+		default:
+			break;
+		}
+	}
+		
 
 #ifdef ENABLE_ADMINPORT
 	{
@@ -470,8 +517,8 @@
 			type &= ~ISAKMP_GEN_MASK;
 
 			plog(LLV_DEBUG, LOCATION, NULL,
-			     "Short attribute %d = %d\n", 
-			     type, ntohs(attr->lorv));
+			     "Short attribute %s = %d\n", 
+			     s_isakmp_cfg_type(type), ntohs(attr->lorv));
 
 			switch (type) {
 			case XAUTH_TYPE:
@@ -479,7 +526,8 @@
 				break;
 			default:
 				plog(LLV_WARNING, LOCATION, NULL,
-				     "Ignored short attribute %d\n", type);
+				     "Ignored short attribute %s\n",
+				     s_isakmp_cfg_type(type));
 				break;
 			}
 
@@ -500,12 +548,14 @@
 		/* Check that the attribute fit in the packet */
 		if (tlen < alen) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			     "Short attribute %d\n", type);
+			     "Short attribute %s\n",
+			     s_isakmp_cfg_type(type));
 			goto end;
 		}
 
 		plog(LLV_DEBUG, LOCATION, NULL,
-		     "Attribute %d, len %zu\n", type, alen);
+		     "Attribute %s, len %zu\n",
+		     s_isakmp_cfg_type(type), alen);
 
 		switch(type) {
 		case INTERNAL_IP4_ADDRESS:
@@ -542,6 +592,7 @@
 		case UNITY_FW_TYPE:
 		case UNITY_SPLITDNS_NAME:
 		case UNITY_SPLIT_INCLUDE:
+		case UNITY_LOCAL_LAN:
 		case UNITY_NATT_PORT:
 		case UNITY_BACKUP_SERVERS:
 			reply_attr = isakmp_unity_req(iph1, attr);
@@ -550,7 +601,8 @@
 		case INTERNAL_ADDRESS_EXPIRY:
 		default:
 			plog(LLV_WARNING, LOCATION, NULL,
-			     "Ignored attribute %d\n", type);
+			     "Ignored attribute %s\n",
+			     s_isakmp_cfg_type(type));
 			break;
 		}
 
@@ -570,12 +622,29 @@
 	reply->type = ISAKMP_CFG_REPLY;
 	reply->id = attrpl->id;
 
+	plog(LLV_DEBUG, LOCATION, NULL, 
+		    "Sending MODE_CFG REPLY\n");
+
 	error = isakmp_cfg_send(iph1, payload, 
 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
 
-	/* Reinit the IV */
-	oakley_delivm(iph1->mode_cfg->ivm);
-	iph1->mode_cfg->ivm = NULL;
+	if (iph1->status == PHASE1ST_ESTABLISHED) {
+		switch (AUTHMETHOD(iph1)) {
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+		/* Unimplemented */
+		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
+			script_hook(iph1, SCRIPT_PHASE1_UP);
+			break;
+		default:
+			break;
+		}
+	}
+	
 end:
 	vfree(payload);
 
@@ -614,18 +683,22 @@
 		reply_attr = NULL;
 		type = ntohs(attr->type);
 
+		plog(LLV_DEBUG, LOCATION, NULL,
+		     "Attribute %s\n", 
+		     s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
+		
 		switch (type & ~ISAKMP_GEN_MASK) {
 		case XAUTH_STATUS:
 			reply_attr = isakmp_xauth_set(iph1, attr);
 			break;
 		default:
 			plog(LLV_DEBUG, LOCATION, NULL,
-			     "Unexpected SET attribute %d\n", 
-				 type & ~ISAKMP_GEN_MASK);
+			     "Unexpected SET attribute %s\n", 
+		     	     s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
 			break;
 		}
 
-		if ((reply_attr = vmalloc(sizeof(*reply_attr))) != NULL) {
+		if (reply_attr != NULL) {
 			payload = buffer_cat(payload, reply_attr);
 			vfree(reply_attr);
 		}
@@ -651,6 +724,9 @@
 	reply->type = ISAKMP_CFG_ACK;
 	reply->id = attrpl->id;
 
+	plog(LLV_DEBUG, LOCATION, NULL,
+		     "Sending MODE_CFG ACK\n");
+
 	error = isakmp_cfg_send(iph1, payload, 
 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
 
@@ -659,6 +735,7 @@
 			isakmp_info_send_d1(iph1);
 		remph1(iph1);
 		delph1(iph1);
+		iph1 = NULL;
 	}
 end:
 	vfree(payload);
@@ -666,7 +743,7 @@
 	/* 
 	 * If required, request ISAKMP mode config information
 	 */
-	if ((iph1->rmconf->mode_cfg) && (error == 0))
+	if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0))
 		error = isakmp_cfg_getconfig(iph1);
 
 	return error;
@@ -700,6 +777,7 @@
 	struct isakmp_data *attr;
 {
 	int type;
+	int confsource;
 	in_addr_t addr4;
 
 	type = ntohs(attr->type);
@@ -713,12 +791,30 @@
 		return NULL;
 	}
 
+	confsource = isakmp_cfg_config.confsource;
+	/*
+	 * If we have to fall back to a local
+	 * configuration source, we will jump
+	 * back to this point.
+	 */
+retry_source:
+
 	switch(type) {
 	case INTERNAL_IP4_ADDRESS:
-		switch(isakmp_cfg_config.confsource) {
+		switch(confsource) {
+#ifdef HAVE_LIBLDAP
+		case ISAKMP_CFG_CONF_LDAP:
+			if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
+			    break;
+			plog(LLV_INFO, LOCATION, NULL, 
+			    "No IP from LDAP, using local pool\n");
+			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
+#endif
 #ifdef HAVE_LIBRADIUS
 		case ISAKMP_CFG_CONF_RADIUS:
-			if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_RADIUS)
+			if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
 			    && (iph1->mode_cfg->addr4.s_addr != htonl(-2)))
 			    /*
 			     * -2 is 255.255.255.254, RADIUS uses that
@@ -728,6 +824,8 @@
 			plog(LLV_INFO, LOCATION, NULL, 
 			    "No IP from RADIUS, using local pool\n");
 			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
 #endif
 		case ISAKMP_CFG_CONF_LOCAL:
 			if (isakmp_cfg_getport(iph1) == -1) {
@@ -755,14 +853,26 @@
 		break;
 
 	case INTERNAL_IP4_NETMASK:
-		switch(isakmp_cfg_config.confsource) {
+		switch(confsource) {
+#ifdef HAVE_LIBLDAP
+		case ISAKMP_CFG_CONF_LDAP:
+			if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
+				break;
+			plog(LLV_INFO, LOCATION, NULL, 
+			    "No mask from LDAP, using local pool\n");
+			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
+#endif
 #ifdef HAVE_LIBRADIUS
 		case ISAKMP_CFG_CONF_RADIUS:
-			if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_RADIUS)
+			if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
 				break;
 			plog(LLV_INFO, LOCATION, NULL, 
 			    "No mask from RADIUS, using local pool\n");
 			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
 #endif
 		case ISAKMP_CFG_CONF_LOCAL:
 			iph1->mode_cfg->mask4.s_addr 
@@ -779,13 +889,15 @@
 		break;
 
 	case INTERNAL_IP4_DNS:
-		return isakmp_cfg_addr4(iph1, 
-		    attr, &isakmp_cfg_config.dns4);
+		return isakmp_cfg_addr4_list(iph1, 
+		    attr, &isakmp_cfg_config.dns4[0], 
+		    isakmp_cfg_config.dns4_index);
 		break;
 
 	case INTERNAL_IP4_NBNS:
-		return isakmp_cfg_addr4(iph1, 
-		    attr, &isakmp_cfg_config.nbns4);
+		return isakmp_cfg_addr4_list(iph1, 
+		    attr, &isakmp_cfg_config.nbns4[0], 
+		    isakmp_cfg_config.nbns4_index);
 		break;
 
 	case INTERNAL_IP4_SUBNET:
@@ -797,7 +909,6 @@
 		plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type);
 		break;
 	}
-
 	return NULL;
 }
 
@@ -870,17 +981,16 @@
 }
 
 vchar_t *
-isakmp_cfg_string(iph1, attr, string)
+isakmp_cfg_varlen(iph1, attr, string, len)
 	struct ph1handle *iph1;
 	struct isakmp_data *attr;
 	char *string;
+	size_t len;
 {
 	vchar_t *buffer;
 	struct isakmp_data *new;
-	size_t len;
 	char *data;
 
-	len = strlen(string);
 	if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
 		return NULL;
@@ -896,6 +1006,15 @@
 	
 	return buffer;
 }
+vchar_t *
+isakmp_cfg_string(iph1, attr, string)
+	struct ph1handle *iph1;
+	struct isakmp_data *attr;
+	char *string;
+{
+	size_t len = strlen(string);
+	return isakmp_cfg_varlen(iph1, attr, string, len);
+}
 
 static vchar_t *
 isakmp_cfg_addr4(iph1, attr, addr)
@@ -922,6 +1041,42 @@
 	return buffer;
 }
 
+static vchar_t *
+isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
+	struct ph1handle *iph1;
+	struct isakmp_data *attr;
+	in_addr_t *addr;
+	int nbr;
+{
+	vchar_t *buffer;
+	vchar_t *bufone;
+	struct isakmp_data *new;
+	size_t len;
+	int i;
+
+	len = sizeof(*addr);
+	if((buffer = vmalloc(0)) == NULL ) {
+		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+		return NULL;
+	}
+	for(i = 0; i < nbr; i++) {
+		if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot allocate memory\n");
+			return NULL;
+		}
+		new = (struct isakmp_data *)bufone->v;
+		new->type = attr->type;
+		new->lorv = htons(len);
+		memcpy(new + 1, &addr[i], len);
+		new += (len + sizeof(*attr));
+		buffer = buffer_cat(buffer, bufone);
+		vfree(bufone);
+	}
+
+	return buffer;
+}
+
 struct isakmp_ivm *
 isakmp_cfg_newiv(iph1, msgid)
 	struct ph1handle *iph1;
@@ -939,6 +1094,7 @@
 		oakley_delivm(ics->ivm);
 
 	ics->ivm = oakley_newiv2(iph1, msgid);
+	ics->last_msgid = msgid;
 
 	return ics->ivm;
 }
@@ -976,18 +1132,29 @@
 		goto end;
 
 	iph2->dst = dupsaddr(iph1->remote);
+	if (iph2->dst == NULL) {
+		delph2(iph2);
+		goto end;
+	}
 	iph2->src = dupsaddr(iph1->local);
+	if (iph2->src == NULL) {
+		delph2(iph2);
+		goto end;
+	}
+
 	switch (iph1->remote->sa_family) {
 	case AF_INET:
-#ifndef ENABLE_NATT
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in *)iph2->dst)->sin_port = 0;
 		((struct sockaddr_in *)iph2->src)->sin_port = 0;
 #endif
 		break;
 #ifdef INET6
 	case AF_INET6:
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
 		((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
+#endif
 		break;
 #endif
 	default:
@@ -1078,6 +1245,9 @@
 #ifdef HAVE_PRINT_ISAKMP_C
 	isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
 #endif
+	
+	plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n");
+	plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l);
 
 	/* encoding */
 	if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
@@ -1133,6 +1303,20 @@
 	if (state->flags & ISAKMP_CFG_PORT_ALLOCATED)
 		isakmp_cfg_putport(iph1, state->port);	
 
+	/* Delete the IV if it's still there */
+	if(iph1->mode_cfg->ivm) {
+		oakley_delivm(iph1->mode_cfg->ivm);
+		iph1->mode_cfg->ivm = NULL;
+	}
+
+	/* Free any allocated splitnet lists */
+	if(iph1->mode_cfg->split_include != NULL)
+		splitnet_list_free(iph1->mode_cfg->split_include,
+			&iph1->mode_cfg->include_count);
+	if(iph1->mode_cfg->split_local != NULL)
+		splitnet_list_free(iph1->mode_cfg->split_local,
+			&iph1->mode_cfg->local_count);
+
 	xauth_rmstate(&state->xauth);
 
 	racoon_free(state);
@@ -1253,6 +1437,9 @@
 	if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
 		return isakmp_cfg_accounting_radius(iph1, inout);
 #endif
+	if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
+		return privsep_accounting_system(iph1->mode_cfg->port,
+			iph1->remote, iph1->mode_cfg->login, inout);
 	return 0;
 }
 
@@ -1454,6 +1641,68 @@
 	return 0;
 }
 #endif
+
+/*
+	Logs the user into the utmp system files.
+*/
+
+int
+isakmp_cfg_accounting_system(port, raddr, usr, inout)
+	int port;
+	struct sockaddr *raddr;
+	char *usr;
+	int inout;
+{
+	int error = 0;
+	struct utmp ut;
+	char term[UT_LINESIZE];
+	char addr[NI_MAXHOST];
+	
+	if (usr == NULL || usr[0]=='\0') {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"system accounting : no login found\n");
+		return -1;
+	}
+
+	sprintf(term, TERMSPEC, port);
+
+	switch (inout) {
+	case ISAKMP_CFG_LOGIN:
+		strncpy(ut.ut_name, usr, UT_NAMESIZE);
+		ut.ut_name[UT_NAMESIZE - 1] = '\0';
+
+		strncpy(ut.ut_line, term, UT_LINESIZE);
+		ut.ut_line[UT_LINESIZE - 1] = '\0';
+
+		GETNAMEINFO_NULL(raddr, addr);
+		strncpy(ut.ut_host, addr, UT_HOSTSIZE);
+		ut.ut_host[UT_HOSTSIZE - 1] = '\0';
+
+		ut.ut_time = time(NULL);
+ 
+		plog(LLV_INFO, LOCATION, NULL,
+			"Accounting : '%s' logging on '%s' from %s.\n",
+			ut.ut_name, ut.ut_line, ut.ut_host);
+
+		login(&ut);
+
+		break;
+	case ISAKMP_CFG_LOGOUT:	
+
+		plog(LLV_INFO, LOCATION, NULL,
+			"Accounting : '%s' unlogging from '%s'.\n",
+			usr, term);
+
+		logout(term);
+
+		break;
+	default:
+		plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
+		break;
+	}
+
+	return 0;
+}
 	
 int 
 isakmp_cfg_getconfig(iph1)
@@ -1472,6 +1721,10 @@
 		INTERNAL_IP4_DNS,
 		INTERNAL_IP4_NBNS,
 		UNITY_BANNER,
+		UNITY_DEF_DOMAIN,
+		UNITY_SPLITDNS_NAME,
+		UNITY_SPLIT_INCLUDE,
+		UNITY_LOCAL_LAN,
 		APPLICATION_VERSION,
 	};
 
@@ -1496,6 +1749,9 @@
 		attr++;
 	}
 
+	plog(LLV_DEBUG, LOCATION, NULL, 
+		    "Sending MODE_CFG REQUEST\n");
+
 	error = isakmp_cfg_send(iph1, buffer,
 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
 
@@ -1523,22 +1779,113 @@
 	return;
 }
 
+static void
+isakmp_cfg_appendaddr4(attr, ip, num, max)
+	struct isakmp_data *attr;
+	struct in_addr *ip;
+	int *num;
+	int max;
+{
+	size_t alen = ntohs(attr->lorv);
+	in_addr_t *addr;
+
+	if (alen != sizeof(*ip)) {
+		plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
+		return;
+	}
+	if (*num == max) {
+		plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n");
+		return;
+	}
+
+	addr = (in_addr_t *)(attr + 1);
+	ip->s_addr = *addr;
+	*num++;
+
+	return;
+}
+
+static void
+isakmp_cfg_getstring(attr, str)
+	struct isakmp_data *attr;
+	char *str;
+{
+	size_t alen = ntohs(attr->lorv);
+	char *src;
+	src = (char *)(attr + 1);
+
+	memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen));
+
+	return;
+}
+
+#define IP_MAX 40
+
+void
+isakmp_cfg_iplist_to_str(dest, count, addr, withmask)
+	char *dest;
+	int count;
+	void *addr;
+	int withmask;
+{
+	int i;
+	int p;
+	int l;
+	struct unity_network tmp;
+	for(i = 0, p = 0; i < count; i++) {
+		if(withmask == 1)
+			l = sizeof(struct unity_network);
+		else
+			l = sizeof(struct in_addr);
+		memcpy(&tmp, addr, l);
+		addr += l;
+		if((uint32_t)tmp.addr4.s_addr == 0)
+			break;
+	
+		inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX);
+		p += strlen(dest + p);
+		if(withmask == 1) {
+			dest[p] = '/';
+			p++;
+			inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX);
+			p += strlen(dest + p);
+		}
+		dest[p] = ' ';
+		p++;
+	}
+	if(p > 0)
+		dest[p-1] = '\0';
+	else
+		dest[0] = '\0';
+}
+
 int
 isakmp_cfg_setenv(iph1, envp, envc)
 	struct ph1handle *iph1; 
 	char ***envp;
 	int *envc;
 {
-#define IP_MAX 40
 	char addrstr[IP_MAX];
+	char addrlist[IP_MAX * MAXNS + MAXNS];
+	char *splitlist = addrlist;
+	char defdom[MAXPATHLEN + 1];
+	int cidr, tmp;
+	char cidrstr[4];
+	int i, p;
+	int test;
+
+	plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
 
 	/* 
 	 * Internal IPv4 address, either if 
 	 * we are a client or a server.
 	 */
 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) ||
+#ifdef HAVE_LIBLDAP
+	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
+#endif
 #ifdef HAVE_LIBRADIUS
-	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_RADIUS) ||
+	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
 #endif
 	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) {
 		inet_ntop(AF_INET, &iph1->mode_cfg->addr4, 
@@ -1551,6 +1898,15 @@
 		return -1;
 	}
 
+	if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) {
+		if (script_env_append(envp, envc, "XAUTH_USER", 
+		    iph1->mode_cfg->xauth.authdata.generic.usr) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot set XAUTH_USER\n");
+			return -1;
+		}
+	}
+
 	/* Internal IPv4 mask */
 	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) 
 		inet_ntop(AF_INET, &iph1->mode_cfg->mask4, 
@@ -1558,45 +1914,247 @@
 	else
 		addrstr[0] = '\0';
 
-       /* 
-	* During several releases, documentation adverised INTERNAL_NETMASK4
-	* while code was using INTERNAL_MASK4. We now do both.
-	*/
-	if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) {
-                plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n");
-                return -1;
-        } 
+	/* 	
+	 * During several releases, documentation adverised INTERNAL_NETMASK4
+	 * while code was using INTERNAL_MASK4. We now do both.
+	 */
+
+	if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { 
+		plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n");
+		return -1;
+	}
 
-       if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) {
-	       plog(LLV_ERROR, LOCATION, NULL,  
-		   "Cannot set INTERNAL_NETMASK4\n");
-	       return -1;
-       }
+	if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { 
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "Cannot set INTERNAL_NETMASK4\n");
+		return -1;
+	}
 
+	tmp = ntohl(iph1->mode_cfg->mask4.s_addr);
+	for (cidr = 0; tmp != 0; cidr++)
+		tmp <<= 1;
+	snprintf(cidrstr, 3, "%d", cidr);
+
+	if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n");
+		return -1;
+	}
 
 	/* Internal IPv4 DNS */
-	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) 
-		inet_ntop(AF_INET, &iph1->mode_cfg->dns4, 
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) {
+		/* First Internal IPv4 DNS (for compatibilty with older code */
+		inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], 
 		    addrstr, IP_MAX);
-	else
+
+		/* Internal IPv4 DNS - all */
+		isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index,
+			(void *)iph1->mode_cfg->dns4, 0);
+	} else {
 		addrstr[0] = '\0';
+		addrlist[0] = '\0';
+	}
 
-	if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) { 
+	if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) {
 		plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n");
 		return -1;
 	}
-
+	if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "Cannot set INTERNAL_DNS4_LIST\n");
+		return -1;
+	}
+	
 	/* Internal IPv4 WINS */
-	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) 
-		inet_ntop(AF_INET, &iph1->mode_cfg->wins4, 
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) {
+		/* 
+		 * First Internal IPv4 WINS 
+		 * (for compatibilty with older code 
+		 */
+		inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], 
 		    addrstr, IP_MAX);
+
+		/* Internal IPv4 WINS - all */
+		isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index,
+			(void *)iph1->mode_cfg->wins4, 0);
+	} else {
+		addrstr[0] = '\0';
+		addrlist[0] = '\0';
+	}
+
+	if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "Cannot set INTERNAL_WINS4\n");
+		return -1;
+	}
+	if (script_env_append(envp, envc, 
+	    "INTERNAL_WINS4_LIST", addrlist) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "Cannot set INTERNAL_WINS4_LIST\n");
+		return -1;
+	}
+
+	/* Deault domain */
+	if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) 
+		strncpy(defdom, 
+		    iph1->mode_cfg->default_domain, 
+		    MAXPATHLEN + 1);
 	else
-		addrstr[0] = '\0';
+		defdom[0] = '\0';
+	
+	if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { 
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "Cannot set DEFAULT_DOMAIN\n");
+		return -1;
+	}
+
+	/* Split networks */
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE)
+		splitlist = splitnet_list_2str(iph1->mode_cfg->split_include);
+	else {
+		splitlist = addrlist;
+		addrlist[0] = '\0';
+	}
+
+	if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
+		return -1;
+	}
+	if (splitlist != addrlist)
+		racoon_free(splitlist);
+
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL)
+		splitlist = splitnet_list_2str(iph1->mode_cfg->split_local);
+	else {
+		splitlist = addrlist;
+		addrlist[0] = '\0';
+	}
+
+	if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
+		return -1;
+	}
+	if (splitlist != addrlist)
+		racoon_free(splitlist);
+	
+	return 0;
+}
+
+int
+isakmp_cfg_resize_pool(size)
+	int size;
+{
+	struct isakmp_cfg_port *new_pool;
+	size_t len;
+	int i;
+
+	if (size == isakmp_cfg_config.pool_size)
+		return 0;
+
+	plog(LLV_INFO, LOCATION, NULL,
+	    "Resize address pool from %zu to %d\n",
+	    isakmp_cfg_config.pool_size, size);
+
+	/* If a pool already exists, check if we can shrink it */
+	if ((isakmp_cfg_config.port_pool != NULL) &&
+	    (size < isakmp_cfg_config.pool_size)) {
+		for (i = isakmp_cfg_config.pool_size; i >= size; --i) {
+			if (isakmp_cfg_config.port_pool[i].used) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "resize pool from %zu to %d impossible "
+				    "port %d is in use\n", 
+				    isakmp_cfg_config.pool_size, size, i);
+				size = i;
+				break;
+			}	
+		}
+	}
 
-	if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) { 
-		plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_WINS4\n");
+	len = size * sizeof(*isakmp_cfg_config.port_pool);
+	new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len);
+	if (new_pool == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "resize pool from %zu to %d impossible: %s",
+		    isakmp_cfg_config.pool_size, size, strerror(errno));
 		return -1;
 	}
 
+	/* If size increase, intialize correctly the new records */
+	if (size > isakmp_cfg_config.pool_size) {
+		size_t unit;
+		size_t old_size;
+
+		unit =  sizeof(*isakmp_cfg_config.port_pool);
+		old_size = isakmp_cfg_config.pool_size;
+
+		bzero((char *)new_pool + (old_size * unit), 
+		    (size - old_size) * unit);
+	}
+
+	isakmp_cfg_config.port_pool = new_pool;
+	isakmp_cfg_config.pool_size = size;
+
+	return 0;
+}
+
+int
+isakmp_cfg_init(cold) 
+	int cold;
+{
+	int i;
+	int error;
+
+	isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
+	isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
+	for (i = 0; i < MAXNS; i++)
+		isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000;
+	isakmp_cfg_config.dns4_index = 0;
+	for (i = 0; i < MAXWINS; i++)
+		isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000;
+	isakmp_cfg_config.nbns4_index = 0;
+	if (cold == ISAKMP_CFG_INIT_COLD)
+		isakmp_cfg_config.port_pool = NULL;
+	isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
+	isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
+	if (cold == ISAKMP_CFG_INIT_COLD) {
+		if (isakmp_cfg_config.grouplist != NULL) {
+			for (i = 0; i < isakmp_cfg_config.groupcount; i++)
+				racoon_free(isakmp_cfg_config.grouplist[i]);
+			racoon_free(isakmp_cfg_config.grouplist);
+		}
+	}
+	isakmp_cfg_config.grouplist = NULL;
+	isakmp_cfg_config.groupcount = 0;
+	isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
+	isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
+	if (cold == ISAKMP_CFG_INIT_COLD)
+		isakmp_cfg_config.pool_size = 0;
+	isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY;
+	strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN,
+	    MAXPATHLEN);
+	strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN);
+
+	if (cold != ISAKMP_CFG_INIT_COLD )
+		if (isakmp_cfg_config.splitnet_list != NULL)
+			splitnet_list_free(isakmp_cfg_config.splitnet_list,
+				&isakmp_cfg_config.splitnet_count);
+	isakmp_cfg_config.splitnet_list = NULL;
+	isakmp_cfg_config.splitnet_count = 0;
+	isakmp_cfg_config.splitnet_type = 0;
+
+	isakmp_cfg_config.pfs_group = 0;
+	isakmp_cfg_config.save_passwd = 0;
+
+	if (cold != ISAKMP_CFG_INIT_COLD )
+		if (isakmp_cfg_config.splitdns_list != NULL)
+			racoon_free(isakmp_cfg_config.splitdns_list);
+	isakmp_cfg_config.splitdns_list = NULL;
+	isakmp_cfg_config.splitdns_len = 0;
+
+	if (cold == ISAKMP_CFG_INIT_COLD) {
+		if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
+			return error;
+	}
+
 	return 0;
 }
+
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.h,v 1.5 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_cfg.h,v 1.6 2006/09/09 16:22:09 manu Exp $	*/
 
 /*	$KAME$ */
 
@@ -59,12 +59,14 @@
 #define INTERNAL_IP6_SUBNET        15
 
 /* For APPLICATION_VERSION */
-#define ISAKMP_CFG_RACOON_VERSION "KAME/racoon " \
-				  "+ Hybrid auth Patches <manu@netbsd.org>"
+#define ISAKMP_CFG_RACOON_VERSION "racoon / IPsec-tools"
+
+/* For the wins servers -- XXX find the value somewhere ? */
+#define MAXWINS 4
 
 /* 
  * Global configuration for ISAKMP mode confiration address allocation 
- * Readen from the mode_cfg section of racoon.conf
+ * Read from the mode_cfg section of racoon.conf
  */
 struct isakmp_cfg_port {
 	char	used;
@@ -74,34 +76,57 @@
 };
 
 struct isakmp_cfg_config {
-	in_addr_t	network4;
-	in_addr_t	netmask4;
-	in_addr_t	dns4;
-	in_addr_t	nbns4;
-	struct isakmp_cfg_port *port_pool;
-	int authsource;
-	int confsource;
-	int accounting;
-	size_t pool_size;
-	int auth_throttle;
-	char motd[MAXPATHLEN + 1];
-	int pfs_group;
-	int save_passwd;
+	in_addr_t		network4;
+	in_addr_t		netmask4;
+	in_addr_t		dns4[MAXNS];
+	int			dns4_index;
+	in_addr_t		nbns4[MAXWINS];
+	int			nbns4_index;
+	struct isakmp_cfg_port 	*port_pool;
+	int			authsource;
+	int			groupsource;
+	char			**grouplist;
+	int			groupcount;
+	int			confsource;
+	int			accounting;
+	size_t			pool_size;
+	int			auth_throttle;
+	/* XXX move this to a unity specific sub-structure */
+	char			default_domain[MAXPATHLEN + 1];
+	char			motd[MAXPATHLEN + 1];
+	struct unity_netentry	*splitnet_list;
+	int			splitnet_count;
+	int			splitnet_type;
+	char 			*splitdns_list;
+	int			splitdns_len;
+	int			pfs_group;
+	int			save_passwd;
 };
 
+/* For utmp updating */
+#define TERMSPEC	"vpn%d"
+
 /* For authsource */
 #define ISAKMP_CFG_AUTH_SYSTEM	0
 #define ISAKMP_CFG_AUTH_RADIUS	1
 #define ISAKMP_CFG_AUTH_PAM	2
+#define ISAKMP_CFG_AUTH_LDAP	4
+
+/* For groupsource */
+#define ISAKMP_CFG_GROUP_SYSTEM	0
+#define ISAKMP_CFG_GROUP_LDAP	1
 
 /* For confsource */
 #define ISAKMP_CFG_CONF_LOCAL	0
 #define ISAKMP_CFG_CONF_RADIUS	1
+#define ISAKMP_CFG_CONF_LDAP	2
 
 /* For accounting */
 #define ISAKMP_CFG_ACCT_NONE	0
 #define ISAKMP_CFG_ACCT_RADIUS	1
 #define ISAKMP_CFG_ACCT_PAM	2
+#define ISAKMP_CFG_ACCT_LDAP	3
+#define ISAKMP_CFG_ACCT_SYSTEM	4
 
 /* For pool_size */
 #define ISAKMP_CFG_MAX_CNX	255
@@ -109,6 +134,9 @@
 /* For motd */
 #define ISAKMP_CFG_MOTD	"/etc/motd"
 
+/* For default domain */
+#define ISAKMP_CFG_DEFAULT_DOMAIN ""
+
 extern struct isakmp_cfg_config isakmp_cfg_config;
 
 /*
@@ -121,18 +149,28 @@
 	char login[LOGINLEN + 1];	/* login */
 	struct in_addr addr4;		/* IPv4 address */
 	struct in_addr mask4;		/* IPv4 netmask */
-	struct in_addr dns4;		/* IPv4 DNS (when client only) */
-	struct in_addr wins4;		/* IPv4 WINS (when client only) */
+	struct in_addr dns4[MAXNS];	/* IPv4 DNS (when client only) */
+	int dns4_index;			/* Number of IPv4 DNS (client only) */
+	struct in_addr wins4[MAXWINS];	/* IPv4 WINS (when client only) */
+	int wins4_index;		/* Number of IPv4 WINS (client only) */
+	char default_domain[MAXPATHLEN + 1];	/* Default domain recieved */
+	struct unity_netentry 
+	    *split_include; 		/* UNITY_SPLIT_INCLUDE */
+	int include_count;		/* Number of SPLIT_INCLUDES */
+	struct unity_netentry 
+	    *split_local;		/* UNITY_LOCAL_LAN */
+	int local_count;		/* Number of SPLIT_LOCAL */
 	struct xauth_state xauth;	/* Xauth state, if revelant */		
 	struct isakmp_ivm *ivm;		/* XXX Use iph1's ivm? */
+	u_int32_t last_msgid;           /* Last message-ID */
 };
 
 /* flags */
 #define ISAKMP_CFG_VENDORID_XAUTH	0x01	/* Supports Xauth */
 #define ISAKMP_CFG_VENDORID_UNITY	0x02	/* Cisco Unity compliant */
 #define ISAKMP_CFG_PORT_ALLOCATED	0x04	/* Port allocated */
-#define ISAKMP_CFG_ADDR4_RADIUS		0x08	/* Address from RADIUS  */
-#define ISAKMP_CFG_MASK4_RADIUS		0x10	/* Netmask from RADIUS */
+#define ISAKMP_CFG_ADDR4_EXTERN		0x08	/* Address from external config  */
+#define ISAKMP_CFG_MASK4_EXTERN		0x10	/* Netmask from external config */
 #define ISAKMP_CFG_ADDR4_LOCAL		0x20	/* Address from local pool */
 #define ISAKMP_CFG_MASK4_LOCAL		0x40	/* Netmask from local pool */
 #define ISAKMP_CFG_GOT_ADDR4		0x80	/* Client got address */
@@ -140,6 +178,9 @@
 #define ISAKMP_CFG_GOT_DNS4		0x200	/* Client got DNS */
 #define ISAKMP_CFG_GOT_WINS4		0x400	/* Client got WINS */
 #define ISAKMP_CFG_DELETE_PH1		0x800	/* phase 1 should be deleted */
+#define ISAKMP_CFG_GOT_DEFAULT_DOMAIN	0x1000	/* Client got default domain */
+#define ISAKMP_CFG_GOT_SPLIT_INCLUDE	0x2000	/* Client got a split network config */
+#define ISAKMP_CFG_GOT_SPLIT_LOCAL	0x4000	/* Client got a split LAN config */
 
 struct isakmp_pl_attr;
 struct ph1handle;
@@ -155,12 +196,17 @@
 struct isakmp_cfg_state *isakmp_cfg_mkstate(void);
 vchar_t *isakmp_cfg_copy(struct ph1handle *, struct isakmp_data *);
 vchar_t *isakmp_cfg_short(struct ph1handle *, struct isakmp_data *, int);
+vchar_t *isakmp_cfg_varlen(struct ph1handle *, struct isakmp_data *, char *, size_t);
 vchar_t *isakmp_cfg_string(struct ph1handle *, struct isakmp_data *, char *);
 int isakmp_cfg_getconfig(struct ph1handle *);
 int isakmp_cfg_setenv(struct ph1handle *, char ***, int *);
 
-int isakmp_cfg_getport(struct ph1handle *);       
+int isakmp_cfg_resize_pool(int);
+int isakmp_cfg_getport(struct ph1handle *);
 int isakmp_cfg_putport(struct ph1handle *, unsigned int);
+int isakmp_cfg_init(int);
+#define ISAKMP_CFG_INIT_COLD	1
+#define ISAKMP_CFG_INIT_WARM	0
 
 #ifdef HAVE_LIBRADIUS
 struct rad_handle;
@@ -172,3 +218,5 @@
 int isakmp_cfg_accounting_pam(int, int);
 void cleanup_pam(int);
 #endif
+
+int isakmp_cfg_accounting_system(int, struct sockaddr *, char *, int);
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_frag.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_frag.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
-/*	Id: isakmp_frag.h,v 1.2 2004/10/24 16:51:24 manubsd Exp */
+/*	Id: isakmp_frag.h,v 1.3 2005/04/09 16:25:24 manubsd Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus 
@@ -32,6 +32,7 @@
  */
 
 /* IKE fragmentation capabilities */
+#define VENDORID_FRAG_IDENT 	0x80000000
 #define VENDORID_FRAG_BASE 	0x40000000
 #define VENDORID_FRAG_AGG 	0x80000000
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_ident.c,v 1.4 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.5 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: isakmp_ident.c,v 1.13.2.2 2005/11/21 09:46:23 vanhu Exp */
+/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -81,6 +81,14 @@
 #ifdef HAVE_GSSAPI
 #include "gssapi.h"
 #endif
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#include "isakmp_xauth.h"
+#include "isakmp_cfg.h"
+#endif
+#ifdef ENABLE_FRAG 
+#include "isakmp_frag.h"
+#endif
 
 static vchar_t *ident_ir2mx __P((struct ph1handle *));
 static vchar_t *ident_ir3mx __P((struct ph1handle *));
@@ -106,6 +114,13 @@
 	vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
 	int i;
 #endif
+#ifdef ENABLE_HYBRID  
+	vchar_t *vid_xauth = NULL;
+	vchar_t *vid_unity = NULL;
+#endif
+#ifdef ENABLE_FRAG 
+	vchar_t *vid_frag = NULL;
+#endif 
 #ifdef ENABLE_DPD
 	vchar_t *vid_dpd = NULL;
 #endif
@@ -138,12 +153,53 @@
 	if (iph1->rmconf->nat_traversal) 
 		plist = isakmp_plist_append_natt_vids(plist, vid_natt);
 #endif
+#ifdef ENABLE_HYBRID
+	/* Do we need Xauth VID? */
+	switch (RMAUTHMETHOD(iph1)) {
+	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+		if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "Xauth vendor ID generation failed\n");
+		else
+			plist = isakmp_plist_append(plist,
+			    vid_xauth, ISAKMP_NPTYPE_VID);
+			
+		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "Unity vendor ID generation failed\n");
+		else
+                	plist = isakmp_plist_append(plist,
+			    vid_unity, ISAKMP_NPTYPE_VID);
+		break;
+	default:
+		break;
+	}
+#endif
+#ifdef ENABLE_FRAG
+	if (iph1->rmconf->ike_frag) {
+		if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Frag vendorID construction failed\n");
+		} else {
+			vid_frag = isakmp_frag_addcap(vid_frag,
+			    VENDORID_FRAG_IDENT);
+			plist = isakmp_plist_append(plist, 
+			    vid_frag, ISAKMP_NPTYPE_VID);
+		}
+	}
+#endif
 #ifdef ENABLE_DPD
 	if(iph1->rmconf->dpd){
 		vid_dpd = set_vendorid(VENDORID_DPD);
 		if (vid_dpd != NULL)
 			plist = isakmp_plist_append(plist, vid_dpd,
-										ISAKMP_NPTYPE_VID);
+			    ISAKMP_NPTYPE_VID);
 	}
 #endif
 
@@ -163,10 +219,20 @@
 	error = 0;
 
 end:
+#ifdef ENABLE_FRAG
+	if (vid_frag) 
+		vfree(vid_frag);
+#endif  
 #ifdef ENABLE_NATT
 	for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
 		vfree(vid_natt[i]);
 #endif
+#ifdef ENABLE_HYBRID
+	if (vid_xauth != NULL)
+		vfree(vid_xauth);
+	if (vid_unity != NULL)
+		vfree(vid_unity);
+#endif
 #ifdef ENABLE_DPD
 	if (vid_dpd != NULL)
 		vfree(vid_dpd);
@@ -238,6 +304,22 @@
 			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
 			  natt_handle_vendorid(iph1, vid_numeric);
 #endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+	
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+	
+			default:
+				break;
+			}
+#endif  
 #ifdef ENABLE_DPD
 			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
 				iph1->dpd_support=1;
@@ -319,7 +401,7 @@
 		goto end;
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
+	if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
 	    gssapi_get_itoken(iph1, NULL) < 0)
 		goto end;
 #endif
@@ -485,6 +567,10 @@
 	error = 0;
 
 end:
+#ifdef HAVE_GSSAPI
+	if (gsstoken)
+		vfree(gsstoken);
+#endif
 	if (pbuf)
 		vfree(pbuf);
 	if (error) {
@@ -544,7 +630,7 @@
 		goto end;
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
+	if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
 	    gssapi_more_tokens(iph1)) {
 		plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
 		if (gssapi_get_itoken(iph1, &len) < 0)
@@ -840,6 +926,27 @@
 			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
 				natt_handle_vendorid(iph1, vid_numeric);
 #endif
+#ifdef ENABLE_FRAG
+			if ((vid_numeric == VENDORID_FRAG) &&
+			    (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
+				iph1->frag = 1;
+#endif   
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+		
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+	
+			default:  
+				break;
+			}
+#endif
 #ifdef ENABLE_DPD
 			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
 				iph1->dpd_support=1;
@@ -905,13 +1012,23 @@
 	struct payload_list *plist = NULL;
 	int error = -1;
 	vchar_t *gss_sa = NULL;
+#ifdef HAVE_GSSAPI
+	int free_gss_sa = 0;
+#endif
 	vchar_t *vid = NULL;
 #ifdef ENABLE_NATT
 	vchar_t *vid_natt = NULL;
 #endif
+#ifdef ENABLE_HYBRID
+        vchar_t *vid_xauth = NULL;
+        vchar_t *vid_unity = NULL;
+#endif  
 #ifdef ENABLE_DPD
 	vchar_t *vid_dpd = NULL;
 #endif
+#ifdef ENABLE_FRAG          
+	vchar_t *vid_frag = NULL;
+#endif 
 
 	/* validity check */
 	if (iph1->status != PHASE1ST_MSG1RECEIVED) {
@@ -924,9 +1041,11 @@
 	isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->gssid != NULL)
+	if (iph1->approval->gssid != NULL) {
 		gss_sa = ipsecdoi_setph1proposal(iph1->approval);
-	else
+		if (gss_sa != iph1->sa_ret)
+			free_gss_sa = 1;
+	} else 
 #endif
 		gss_sa = iph1->sa_ret;
 
@@ -937,6 +1056,28 @@
 	if (vid)
 		plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
 
+#ifdef ENABLE_HYBRID
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
+		plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
+		if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Cannot create Xauth vendor ID\n");
+			goto end;
+		}
+		plist = isakmp_plist_append(plist,
+		    vid_xauth, ISAKMP_NPTYPE_VID);
+	}
+
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
+		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Cannot create Unity vendor ID\n");
+			goto end;
+		}
+		plist = isakmp_plist_append(plist,
+		    vid_unity, ISAKMP_NPTYPE_VID);
+	}
+#endif
 #ifdef ENABLE_NATT
 	/* Has the peer announced NAT-T? */
 	if (NATT_AVAILABLE(iph1))
@@ -953,6 +1094,20 @@
 			plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
 	}
 #endif
+#ifdef ENABLE_FRAG
+	if (iph1->frag) {
+		vid_frag = set_vendorid(VENDORID_FRAG);
+		if (vid_frag != NULL)
+			vid_frag = isakmp_frag_addcap(vid_frag,
+			    VENDORID_FRAG_IDENT);
+		if (vid_frag == NULL)
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Frag vendorID construction failed\n");
+		else
+			plist = isakmp_plist_append(plist, 
+			     vid_frag, ISAKMP_NPTYPE_VID);
+	}
+#endif
 
 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
 
@@ -962,8 +1117,9 @@
 
 	/* send the packet, add to the schedule to resend */
 	iph1->retry_counter = iph1->rmconf->retry_counter;
-	if (isakmp_ph1resend(iph1) == -1)
+	if (isakmp_ph1resend(iph1) == -1) {
 		goto end;
+	}
 
 	/* the sending message is added to the received-list. */
 	if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
@@ -978,7 +1134,7 @@
 
 end:
 #ifdef HAVE_GSSAPI
-	if (gss_sa != iph1->sa_ret)
+	if (free_gss_sa)
 		vfree(gss_sa);
 #endif
 	if (vid)
@@ -988,10 +1144,20 @@
 	if (vid_natt)
 		vfree(vid_natt);
 #endif
+#ifdef ENABLE_HYBRID
+	if (vid_xauth != NULL)
+		vfree(vid_xauth);
+	if (vid_unity != NULL)
+		vfree(vid_unity);
+#endif
 #ifdef ENABLE_DPD
 	if (vid_dpd != NULL)
 		vfree(vid_dpd);
 #endif
+#ifdef ENABLE_FRAG
+	if (vid_frag != NULL)
+		vfree(vid_frag);
+#endif
 
 	return error;
 }
@@ -1064,7 +1230,7 @@
 		case ISAKMP_NPTYPE_NATD_DRAFT:
 		case ISAKMP_NPTYPE_NATD_RFC:
 			if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
-			    pa->type == iph1->natt_options->payload_nat_d)
+				pa->type == iph1->natt_options->payload_nat_d)
 			{
 				vchar_t *natd_received = NULL;
 				int natd_verified;
@@ -1168,7 +1334,7 @@
 		goto end;
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
+	if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
 		gssapi_get_rtoken(iph1, NULL);
 #endif
 
@@ -1315,18 +1481,31 @@
     {
 	int ng = 0;
 
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+#endif
 		if (iph1->id_p == NULL || iph1->pl_hash == NULL)
 			ng++;
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+#endif
 		if (iph1->id_p == NULL || iph1->sig_p == NULL)
 			ng++;
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+#endif
 		if (iph1->pl_hash == NULL)
 			ng++;
 		break;
@@ -1455,7 +1634,7 @@
 		goto end;
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
+	if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
 	    gssapi_more_tokens(iph1)) {
 		gssapi_get_rtoken(iph1, &len);
 		if (len != 0)
@@ -1549,7 +1728,7 @@
 	}
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
+	if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
 		gssapi_get_token_to_send(iph1, &gsstoken);
 #endif
 
@@ -1560,7 +1739,7 @@
 	plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
 
 #ifdef HAVE_GSSAPI
-	if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
+	if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
 		plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
 #endif
 
@@ -1653,8 +1832,14 @@
 	vchar_t *gsshash = NULL;
 #endif
 
-	switch (iph1->approval->authmethod) {
+	switch (AUTHMETHOD(iph1)) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
+#endif
 		/* create isakmp ID payload */
 		plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
 
@@ -1663,6 +1848,14 @@
 		break;
 	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+#endif 
 		if (oakley_getmycert(iph1) < 0)
 			goto end;
 
@@ -1724,6 +1917,12 @@
 #endif
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+#endif
 		plog(LLV_ERROR, LOCATION, NULL,
 			"not supported authentication type %d\n",
 			iph1->approval->authmethod);
@@ -1753,6 +1952,10 @@
 	error = 0;
 
 end:
+#ifdef HAVE_GSSAPI
+	if (gsstoken)
+		vfree(gsstoken);
+#endif
 	if (cr)
 		vfree(cr);
 	if (error && buf != NULL) {
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h	Sat Sep 09 16:22:08 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.h,v 1.3 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_ident.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
 
 /* Id: isakmp_ident.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat Sep 09 16:17:50 2006 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat Sep 09 16:22:08 2006 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_inf.c,v 1.10 2005/11/21 14:20:29 manu Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.11 2006/09/09 16:22:09 manu Exp $	*/
 
-/* Id: isakmp_inf.c,v 1.14.4.9 2005/08/02 15:09:26 vanhu Exp */
+/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -60,6 +60,9 @@
 #  include <time.h>
 # endif
 #endif
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
 
 #include "libpfkey.h"
 
@@ -74,16 +77,18 @@
 #include "localconf.h"
 #include "remoteconf.h"
 #include "sockmisc.h"
+#include "handler.h"
+#include "proposal.h"
 #include "isakmp_var.h"
 #include "evt.h"
 #include "isakmp.h"
 #ifdef ENABLE_HYBRID
 #include "isakmp_xauth.h"
+#include "isakmp_unity.h"
 #include "isakmp_cfg.h" 
 #endif
 #include "isakmp_inf.h"
 #include "oakley.h"
-#include "handler.h"
 #include "ipsec_doi.h"
 #include "crypto_openssl.h"
 #include "pfkey.h"
@@ -97,8 +102,8 @@
 #endif
 
 /* information exchange */
-static int isakmp_info_recv_n __P((struct ph1handle *, vchar_t *));
-static int isakmp_info_recv_d __P((struct ph1handle *, vchar_t *));
+static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int);
+static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int);
 
 #ifdef ENABLE_DPD
 static int isakmp_info_recv_r_u __P((struct ph1handle *,
@@ -109,7 +114,6 @@
 #endif
 
 static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
-static void purge_ipsec_spi __P((struct sockaddr *, int, u_int32_t *, size_t));
 static void info_recv_initialcontact __P((struct ph1handle *));
 
 /* %%%
@@ -124,23 +128,32 @@
 	vchar_t *msg0;
 {
 	vchar_t *msg = NULL;
+	vchar_t *pbuf = NULL;
+	u_int32_t msgid = 0;
 	int error = -1;
 	struct isakmp *isakmp;
 	struct isakmp_gen *gen;
+	struct isakmp_parse_t *pa, *pap;
 	void *p;
 	vchar_t *hash, *payload;
 	struct isakmp_gen *nd;
 	u_int8_t np;
 	int encrypted;
+	int flag;
 
 	plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n");
 
 	encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E);
+	msgid = ((struct isakmp *)msg0->v)->msgid;
 
 	/* Use new IV to decrypt Informational message. */
 	if (encrypted) {
+		struct isakmp_ivm *ivm;
 
-		struct isakmp_ivm *ivm;
+		if (iph1->ivm == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n");
+			return -1;
+		}
 
 		/* compute IV */
 		ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid);
@@ -170,18 +183,18 @@
 	if (encrypted) {
 		if (isakmp->np != ISAKMP_NPTYPE_HASH) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "ignore information because the "
+			    "ignore information because the"
 			    "message has no hash payload.\n");
 			goto end;
 		}
 
 		if (iph1->status != PHASE1ST_ESTABLISHED) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "ignore information because ISAKMP-SA "
+			    "ignore information because ISAKMP-SA"
 			    "has not been established yet.\n");
 			goto end;
 		}
-
+		
 		/* Safety check */
 		if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
 			plog(LLV_ERROR, LOCATION, NULL, 
@@ -249,7 +262,7 @@
 		vfree(hash);
 		vfree(payload);
 	} else {
-		/* make sure the packet were encrypted after the beginning of phase 1. */
+		/* make sure the packet was encrypted after the beginning of phase 1. */
 		switch (iph1->etype) {
 		case ISAKMP_ETYPE_AGG:
 		case ISAKMP_ETYPE_BASE:
@@ -263,38 +276,290 @@
 			plog(LLV_ERROR, LOCATION, iph1->remote,
 				"%s message must be encrypted\n",
 				s_isakmp_nptype(np));
+			error = 0;
 			goto end;
 		}
 	}
 
-	switch (np) {
-	case ISAKMP_NPTYPE_N:
-		if (isakmp_info_recv_n(iph1, msg) < 0)
-			goto end;
-		break;
-	case ISAKMP_NPTYPE_D:
-		if (isakmp_info_recv_d(iph1, msg) < 0)
-			goto end;
-		break;
-	case ISAKMP_NPTYPE_NONCE:
-		/* XXX to be 6.4.2 ike-01.txt */
-		/* XXX IV is to be synchronized. */
-		plog(LLV_ERROR, LOCATION, iph1->remote,
-			"ignore Acknowledged Informational\n");
-		break;
-	default:
-		/* don't send information, see isakmp_ident_r1() */
-		error = 0;
-		plog(LLV_ERROR, LOCATION, iph1->remote,
-			"reject the packet, "
-			"received unexpecting payload type %d.\n",
-			gen->np);
+	if (!(pbuf = isakmp_parse(msg))) {
+		error = -1;
 		goto end;
 	}
 
+	error = 0;
+	for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) {
+		switch (pa->type) {
+		case ISAKMP_NPTYPE_HASH:
+			/* Handled above */
+			break;
+		case ISAKMP_NPTYPE_N:
+			error = isakmp_info_recv_n(iph1,
+				(struct isakmp_pl_n *)pa->ptr,
+				msgid, encrypted);
+			break;
+		case ISAKMP_NPTYPE_D:
+			error = isakmp_info_recv_d(iph1,
+				(struct isakmp_pl_d *)pa->ptr,
+				msgid, encrypted);
+			break;
+		case ISAKMP_NPTYPE_NONCE:
+			/* XXX to be 6.4.2 ike-01.txt */
+			/* XXX IV is to be synchronized. */
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"ignore Acknowledged Informational\n");
+			break;
+		default:
+			/* don't send information, see isakmp_ident_r1() */
+			error = 0;
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"reject the packet, "
+				"received unexpected payload type %s.\n",
+				s_isakmp_nptype(gen->np));
+		}
+		if(error < 0) {
+			break;
+		} else {
+			flag |= error;
+		}
+	}
     end:
 	if (msg != NULL)
 		vfree(msg);
+	if (pbuf != NULL)
+		vfree(pbuf);
+	return error;
+}
+
+/*
+ * handling of Notification payload
+ */
+static int
+isakmp_info_recv_n(iph1, notify, msgid, encrypted)
+	struct ph1handle *iph1;
+	struct isakmp_pl_n *notify;
+	u_int32_t msgid;
+	int encrypted;
+{
+	u_int type;
+	vchar_t *pbuf;
+	vchar_t *ndata;
+	char *nraw;
+	size_t l;
+	char *spi;
+
+	type = ntohs(notify->type);
+
+	switch (type) {
+	case ISAKMP_NTYPE_CONNECTED:
+	case ISAKMP_NTYPE_RESPONDER_LIFETIME:
+	case ISAKMP_NTYPE_REPLAY_STATUS:
+#ifdef ENABLE_HYBRID
+	case ISAKMP_NTYPE_UNITY_HEARTBEAT:
+#endif
+		/* do something */
+		break;
+	case ISAKMP_NTYPE_INITIAL_CONTACT:
+		if (encrypted)
+			info_recv_initialcontact(iph1);
+			return 0;
+		break;
+#ifdef ENABLE_DPD
+	case ISAKMP_NTYPE_R_U_THERE:
+		if (encrypted)
+			return isakmp_info_recv_r_u(iph1,
+				(struct isakmp_pl_ru *)notify, msgid);
+		break;
+	case ISAKMP_NTYPE_R_U_THERE_ACK:
+		if (encrypted)
+			return isakmp_info_recv_r_u_ack(iph1,
+				(struct isakmp_pl_ru *)notify, msgid);
+		break;
+#endif
+	default:
+	    {
+		/* XXX there is a potential of dos attack. */
+		if(type >= ISAKMP_NTYPE_MINERROR &&
+		   type <= ISAKMP_NTYPE_MAXERROR) {
+			if (msgid == 0) {
+				/* don't think this realy deletes ph1 ? */
+				plog(LLV_ERROR, LOCATION, iph1->remote,
+					"delete phase1 handle.\n");
+				return -1;
+			} else {
+				if (getph2bymsgid(iph1, msgid) == NULL) {
+					plog(LLV_ERROR, LOCATION, iph1->remote,
+						"fatal %s notify messsage, "
+						"phase1 should be deleted.\n",
+						s_isakmp_notify_msg(type));
+				} else {
+					plog(LLV_ERROR, LOCATION, iph1->remote,
+						"fatal %s notify messsage, "
+						"phase2 should be deleted.\n",
+						s_isakmp_notify_msg(type));
+				}
+			}
+		} else {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"unhandled notify message %s, "
+				"no phase2 handle found.\n",
+				s_isakmp_notify_msg(type));
+		}
+	    }
+	    break;
+	}
+
+	/* get spi if specified and allocate */
+	if(notify->spi_size > 0) {
+		if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"invalid spi_size in notification payload.\n");
+			return -1;
+		}
+		spi = val2str((char *)(notify + 1), notify->spi_size);
+
+		plog(LLV_DEBUG, LOCATION, iph1->remote,
+			"notification message %d:%s, "
+			"doi=%d proto_id=%d spi=%s(size=%d).\n",
+			type, s_isakmp_notify_msg(type),
+			ntohl(notify->doi), notify->proto_id, spi, notify->spi_size);
+
+		racoon_free(spi);
+	}
+
+	/* Send the message data to the logs */
+	if(type >= ISAKMP_NTYPE_MINERROR &&
+	   type <= ISAKMP_NTYPE_MAXERROR) {
+		l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
+		if (l > 0) {
+			nraw = (char*)notify;	
+			nraw += sizeof(*notify) + notify->spi_size;
+			ndata = vmalloc(l);
+			memcpy(ndata->v, nraw, ndata->l);
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"Message: '%s'.\n", 
+				binsanitize(ndata->v, ndata->l));
+			vfree(ndata);
+		}
+	}
+	return 0;
+}
+
+/*
+ * handling of Deletion payload
+ */
+static int
+isakmp_info_recv_d(iph1, delete, msgid, encrypted)
+	struct ph1handle *iph1;
+	struct isakmp_pl_d *delete;
+	u_int32_t msgid;
+	int encrypted;
+{
+	int tlen, num_spi;
+	vchar_t *pbuf;
+	int protected = 0;
+	struct ph2handle *iph2;
+	union {
+		u_int32_t spi32;
+		u_int16_t spi16[2];
+	} spi;
+
+	if (ntohl(delete->doi) != IPSEC_DOI) {
+		plog(LLV_ERROR, LOCATION, iph1->remote,
+			"delete payload with invalid doi:%d.\n",
+			ntohl(delete->doi));
+#ifdef ENABLE_HYBRID
+		/*
+		 * At deconnexion time, Cisco VPN client does this
+		 * with a zero DOI. Don't give up in that situation.
+		 */
+		if (((iph1->mode_cfg->flags &
+		    ISAKMP_CFG_VENDORID_UNITY) == 0) || (delete->doi != 0))
+			return 0;
+#else
+		return 0;
+#endif
+	}
+
+	num_spi = ntohs(delete->num_spi);
+	tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d);
+
+	if (tlen != num_spi * delete->spi_size) {
+		plog(LLV_ERROR, LOCATION, iph1->remote,
+			"deletion payload with invalid length.\n");
+		return 0;
+	}
+
+	plog(LLV_DEBUG, LOCATION, iph1->remote,
+		"delete payload for protocol %s\n",
+		s_ipsecdoi_proto(delete->proto_id));
+
+	if(!iph1->rmconf->weak_phase1_check && !encrypted) {
+		plog(LLV_WARNING, LOCATION, iph1->remote,
+			"Ignoring unencrypted delete payload "
+			"(check the weak_phase1_check option)\n");
+		return 0;
+	}
+
+	switch (delete->proto_id) {
+	case IPSECDOI_PROTO_ISAKMP:
+		if (delete->spi_size != sizeof(isakmp_index)) {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"delete payload with strange spi "
+				"size %d(proto_id:%d)\n",
+				delete->spi_size, delete->proto_id);
+			return 0;
+		}
+		EVT_PUSH(iph1->local, iph1->remote,
+			EVTT_PEERPH1_NOPROP, NULL);
+		if (iph1->scr)
+			SCHED_KILL(iph1->scr);
+
+		purge_remote(iph1);
+		break;
+
+	case IPSECDOI_PROTO_IPSEC_AH:
+	case IPSECDOI_PROTO_IPSEC_ESP:
+		if (delete->spi_size != sizeof(u_int32_t)) {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"delete payload with strange spi "
+				"size %d(proto_id:%d)\n",
+				delete->spi_size, delete->proto_id);
+			return 0;
+		}
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEER_DELETE, NULL);
+		purge_ipsec_spi(iph1->remote, delete->proto_id,
+		    (u_int32_t *)(delete + 1), num_spi);
+		break;
+
+	case IPSECDOI_PROTO_IPCOMP:
+		/* need to handle both 16bit/32bit SPI */
+		memset(&spi, 0, sizeof(spi));
+		if (delete->spi_size == sizeof(spi.spi16[1])) {
+			memcpy(&spi.spi16[1], delete + 1,
+			    sizeof(spi.spi16[1]));
+		} else if (delete->spi_size == sizeof(spi.spi32))
+			memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32));
+		else {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"delete payload with strange spi "
+				"size %d(proto_id:%d)\n",
+				delete->spi_size, delete->proto_id);
+			return 0;
+		}
+		purge_ipsec_spi(iph1->remote, delete->proto_id,
+		    &spi.spi32, num_spi);
+		break;
+
+	default:
+		plog(LLV_ERROR, LOCATION, iph1->remote,
+			"deletion message received, "
+			"invalid proto_id: %d\n",
+			delete->proto_id);
+		return 0;
+	}
+
+	plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n");
 
 	return 0;
 }
@@ -451,8 +716,10 @@
 	iph1->flags = 0;
 	iph1->msgid = 0;	/* XXX */
 #ifdef ENABLE_HYBRID
-	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
-		return -1;
+	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
+		error = -1;
+		goto end;
+	}
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
@@ -460,8 +727,10 @@
 #endif
 
 	/* copy remote address */
-	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
-		return -1;
+	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
+		error = -1;
+		goto end;
+	}
 
 	tlen = sizeof(*n) + spisiz;
 	if (data)
@@ -470,6 +739,7 @@
 	if (payload == NULL) { 
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to get buffer to send.\n");
+		error = -1;
 		goto end;
 	}
 
@@ -481,7 +751,7 @@
 	n->spi_size = spisiz;
 	n->type = htons(type);
 	if (spisiz)
-		memset(n + 1, 0, spisiz);	/*XXX*/
+		memset(n + 1, 0, spisiz);	/* XXX spisiz is always 0 */
 	if (data)
 		memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
 
@@ -628,18 +898,28 @@
 		goto end;
 
 	iph2->dst = dupsaddr(iph1->remote);
+	if (iph2->dst == NULL) {
+		delph2(iph2);
+		goto end;
+	}
 	iph2->src = dupsaddr(iph1->local);
+	if (iph2->src == NULL) {
+		delph2(iph2);
+		goto end;
+	}
 	switch (iph1->remote->sa_family) {
 	case AF_INET:
-#ifndef ENABLE_NATT
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in *)iph2->dst)->sin_port = 0;
 		((struct sockaddr_in *)iph2->src)->sin_port = 0;
 #endif
 		break;
 #ifdef INET6
 	case AF_INET6:
+#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
 		((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
 		((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
+#endif
 		break;
 #endif
 	default:
@@ -823,113 +1103,7 @@
 	return buf;
 }
 
-/*
- * handling to receive Notification payload
- */
-static int
-isakmp_info_recv_n(iph1, msg)
-	struct ph1handle *iph1;
-	vchar_t *msg;
-{
-	struct isakmp_pl_n *n = NULL;
-	u_int type;
-	vchar_t *pbuf;
-	struct isakmp_parse_t *pa, *pap;
-	char *spi;
-
-	if (!(pbuf = isakmp_parse(msg)))
-		return -1;
-	pa = (struct isakmp_parse_t *)pbuf->v;
-	for (pap = pa; pap->type; pap++) {
-		switch (pap->type) {
-		case ISAKMP_NPTYPE_HASH:
-			/* do something here */
-			break;
-		case ISAKMP_NPTYPE_NONCE:
-			/* send to ack */
-			break;
-		case ISAKMP_NPTYPE_N:
-			n = (struct isakmp_pl_n *)pap->ptr;
-			break;
-		default:
-			vfree(pbuf);
-			return -1;
-		}
-	}
-	vfree(pbuf);
-	if (!n)
-		return -1;
-
-	type = ntohs(n->type);
-
-	switch (type) {
-	case ISAKMP_NTYPE_CONNECTED:
-	case ISAKMP_NTYPE_RESPONDER_LIFETIME:
-	case ISAKMP_NTYPE_REPLAY_STATUS:
-		/* do something */
-		break;
-	case ISAKMP_NTYPE_INITIAL_CONTACT:
-		info_recv_initialcontact(iph1);
-		break;
-#ifdef ENABLE_DPD
-	case ISAKMP_NTYPE_R_U_THERE:
-		isakmp_info_recv_r_u(iph1, (struct isakmp_pl_ru *)n,
-				     ((struct isakmp *)msg->v)->msgid);
-		break;
-	case ISAKMP_NTYPE_R_U_THERE_ACK:
-		isakmp_info_recv_r_u_ack(iph1, (struct isakmp_pl_ru *)n,
-					 ((struct isakmp *)msg->v)->msgid);
-		break;
-#endif
-
-	default:
-	    {
-		u_int32_t msgid = ((struct isakmp *)msg->v)->msgid;
-		struct ph2handle *iph2;
-
-		/* XXX there is a potential of dos attack. */
-		if (msgid == 0) {
-			/* delete ph1 */
-			plog(LLV_ERROR, LOCATION, iph1->remote,
-				"delete phase1 handle.\n");
-			return -1;
-		} else {
-			iph2 = getph2bymsgid(iph1, msgid);
-			if (iph2 == NULL) {
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"unknown notify message, "
-					"no phase2 handle found.\n");
-			} else {
-				/* delete ph2 */
-				unbindph12(iph2);
-				remph2(iph2);
-				delph2(iph2);
-			}
-		}
-	    }
-		break;
-	}
-
-	/* get spi and allocate */
-	if (ntohs(n->h.len) < sizeof(*n) + n->spi_size) {
-		plog(LLV_ERROR, LOCATION, iph1->remote,
-			"invalid spi_size in notification payload.\n");
-		return -1;
-	}
-	spi = val2str((char *)(n + 1), n->spi_size);
-
-	plog(LLV_DEBUG, LOCATION, iph1->remote,
-		"notification message %d:%s, "
-		"doi=%d proto_id=%d spi=%s(size=%d).\n",
-		type, s_isakmp_notify_msg(type),
-		ntohl(n->doi), n->proto_id, spi, n->spi_size);
-
-	racoon_free(spi);
-
-	return(0);
-}
-
-void
+static void
 purge_isakmp_spi(proto, spi, n)
 	int proto;
 	isakmp_index *spi;	/*network byteorder*/
@@ -955,7 +1129,9 @@
 	}
 }
 
-static void
+
+
+void
 purge_ipsec_spi(dst0, proto, spi, n)
 	struct sockaddr *dst0;
 	int proto;
@@ -1039,7 +1215,7 @@
 			 * exists.
 			 */
 			iph2 = getph2bysaidx(src, dst, proto, spi[i]);
-			if (iph2) {
+			if(iph2 != NULL){
 				delete_spd(iph2);
 				unbindph12(iph2);
 				remph2(iph2);
@@ -1085,8 +1261,10 @@
 		return;
 
 #if 0
-	loc = strdup(saddrwop2str(iph1->local));
-	rem = strdup(saddrwop2str(iph1->remote));
+	loc = racoon_strdup(saddrwop2str(iph1->local));
+	rem = racoon_strdup(saddrwop2str(iph1->remote));
+	STRDUP_FATAL(loc);
+	STRDUP_FATAL(rem);
 
 	/*
 	 * Purge all IPSEC-SAs for the peer.  We can do this
@@ -1261,162 +1439,6 @@
 	vfree(buf);
 }
 
-/*
- * handling to receive Deletion payload
- */
-static int
-isakmp_info_recv_d(iph1, msg)
-	struct ph1handle *iph1;
-	vchar_t *msg;
-{
-	struct isakmp_pl_d *d;
-	int tlen, num_spi;
-	vchar_t *pbuf;
-	struct isakmp_parse_t *pa, *pap;
-	int protected = 0;
-	union {
-		u_int32_t spi32;
-		u_int16_t spi16[2];
-	} spi;
-
-	/* validate the type of next payload */
-	if (!(pbuf = isakmp_parse(msg)))
-		return -1;
-	pa = (struct isakmp_parse_t *)pbuf->v;
-	for (pap = pa; pap->type; pap++) {
-		switch (pap->type) {
-		case ISAKMP_NPTYPE_D:
-			break;
-		case ISAKMP_NPTYPE_HASH:
-			if (pap == pa) {
-				protected++;
-				break;
-			}
-			plog(LLV_ERROR, LOCATION, iph1->remote,
-				"received next payload type %d "
-				"in wrong place (must be the first payload).\n",
-				pap->type);
-			vfree(pbuf);
-			return -1;
-		default:
-			/* don't send information, see isakmp_ident_r1() */
-			plog(LLV_ERROR, LOCATION, iph1->remote,
-				"reject the packet, "
-				"received unexpecting payload type %d.\n",
-				pap->type);
-			vfree(pbuf);
-			return 0;
-		}
-	}
-
-	if (!protected) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			"delete payload is not proteted, "
-			"ignored.\n");
-		vfree(pbuf);
-		return -1;
-	}
-
-	/* process a delete payload */
-	for (pap = pa; pap->type; pap++) {
-		if (pap->type != ISAKMP_NPTYPE_D)
-			continue;
-
-		d = (struct isakmp_pl_d *)pap->ptr;
-
-		if (ntohl(d->doi) != IPSEC_DOI) {
-			plog(LLV_ERROR, LOCATION, iph1->remote,
-				"delete payload with invalid doi:%d.\n",
-				ntohl(d->doi));
-#ifdef ENABLE_HYBRID
-			/*
-			 * At deconnexion time, Cisco VPN client does this
-			 * with a zero DOI. Don't give up in that situation.
-			 */
-			if (((iph1->mode_cfg->flags &
-			    ISAKMP_CFG_VENDORID_UNITY) == 0) || (d->doi != 0))
-				continue;
-#else
-			continue;
-#endif
-		}
-
-		num_spi = ntohs(d->num_spi);
-		tlen = ntohs(d->h.len) - sizeof(struct isakmp_pl_d);
-
-		if (tlen != num_spi * d->spi_size) {
-			plog(LLV_ERROR, LOCATION, iph1->remote,
-				"deletion payload with invalid length.\n");
-			vfree(pbuf);
-			return -1;
-		}
-
-		switch (d->proto_id) {
-		case IPSECDOI_PROTO_ISAKMP:
-			if (d->spi_size != sizeof(isakmp_index)) {
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"delete payload with strange spi "
-					"size %d(proto_id:%d)\n",
-					d->spi_size, d->proto_id);
-				continue;
-			}
-
-			if (iph1->scr)
-				SCHED_KILL(iph1->scr);
-
-			purge_remote(iph1);
-			break;
-
-		case IPSECDOI_PROTO_IPSEC_AH:
-		case IPSECDOI_PROTO_IPSEC_ESP:
-			if (d->spi_size != sizeof(u_int32_t)) {
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"delete payload with strange spi "
-					"size %d(proto_id:%d)\n",
-					d->spi_size, d->proto_id);
-				continue;
-			}
-			EVT_PUSH(iph1->local, iph1->remote, 
-			    EVTT_PEER_DELETE, NULL);
-			purge_ipsec_spi(iph1->remote, d->proto_id,
-			    (u_int32_t *)(d + 1), num_spi);
-			break;
-
-		case IPSECDOI_PROTO_IPCOMP:
-			/* need to handle both 16bit/32bit SPI */
-			memset(&spi, 0, sizeof(spi));
-			if (d->spi_size == sizeof(spi.spi16[1])) {
-				memcpy(&spi.spi16[1], d + 1,
-				    sizeof(spi.spi16[1]));
-			} else if (d->spi_size == sizeof(spi.spi32))
-				memcpy(&spi.spi32, d + 1, sizeof(spi.spi32));
-			else {
-				plog(LLV_ERROR, LOCATION, iph1-