Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) trunk
authormanu <manu@NetBSD.org>
Sat, 12 Feb 2005 11:11:11 +0000
branchtrunk
changeset 134073 9385e983c959
parent 134072 82b17fc37cef
child 134074 0c17ae3fdf96
Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many enhancements.
crypto/dist/ipsec-tools/.cvsignore
crypto/dist/ipsec-tools/ChangeLog
crypto/dist/ipsec-tools/Makefile.am
crypto/dist/ipsec-tools/NEWS
crypto/dist/ipsec-tools/README
crypto/dist/ipsec-tools/acracoon.m4
crypto/dist/ipsec-tools/bootstrap
crypto/dist/ipsec-tools/configure.ac
crypto/dist/ipsec-tools/package_version.h.in
crypto/dist/ipsec-tools/rpm/.cvsignore
crypto/dist/ipsec-tools/rpm/Makefile.am
crypto/dist/ipsec-tools/rpm/ipsec-tools.FC1
crypto/dist/ipsec-tools/rpm/ipsec-tools.spec.in
crypto/dist/ipsec-tools/rpm/suse/.cvsignore
crypto/dist/ipsec-tools/rpm/suse/Makefile.am
crypto/dist/ipsec-tools/rpm/suse/ipsec-tools.spec.in
crypto/dist/ipsec-tools/rpm/suse/racoon.init
crypto/dist/ipsec-tools/rpm/suse/sysconfig.racoon
crypto/dist/ipsec-tools/src/.cvsignore
crypto/dist/ipsec-tools/src/Makefile.am
crypto/dist/ipsec-tools/src/include-glibc/.cvsignore
crypto/dist/ipsec-tools/src/include-glibc/Makefile.am
crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h
crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h
crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h
crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h
crypto/dist/ipsec-tools/src/libipsec/.cvsignore
crypto/dist/ipsec-tools/src/libipsec/Makefile.am
crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h
crypto/dist/ipsec-tools/src/libipsec/key_debug.c
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
crypto/dist/ipsec-tools/src/libipsec/pfkey.c
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
crypto/dist/ipsec-tools/src/libipsec/policy_token.l
crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c
crypto/dist/ipsec-tools/src/libipsec/test-policy.c
crypto/dist/ipsec-tools/src/racoon/.cvsignore
crypto/dist/ipsec-tools/src/racoon/Makefile.am
crypto/dist/ipsec-tools/src/racoon/TODO
crypto/dist/ipsec-tools/src/racoon/admin.c
crypto/dist/ipsec-tools/src/racoon/admin.h
crypto/dist/ipsec-tools/src/racoon/admin_var.h
crypto/dist/ipsec-tools/src/racoon/algorithm.c
crypto/dist/ipsec-tools/src/racoon/algorithm.h
crypto/dist/ipsec-tools/src/racoon/backupsa.c
crypto/dist/ipsec-tools/src/racoon/backupsa.h
crypto/dist/ipsec-tools/src/racoon/cfparse.y
crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h
crypto/dist/ipsec-tools/src/racoon/cftoken.l
crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h
crypto/dist/ipsec-tools/src/racoon/contrib/sp.pl
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
crypto/dist/ipsec-tools/src/racoon/debug.h
crypto/dist/ipsec-tools/src/racoon/debugrm.c
crypto/dist/ipsec-tools/src/racoon/debugrm.h
crypto/dist/ipsec-tools/src/racoon/dhgroup.h
crypto/dist/ipsec-tools/src/racoon/dnssec.c
crypto/dist/ipsec-tools/src/racoon/dnssec.h
crypto/dist/ipsec-tools/src/racoon/doc/FAQ
crypto/dist/ipsec-tools/src/racoon/doc/README.certificate
crypto/dist/ipsec-tools/src/racoon/doc/README.gssapi
crypto/dist/ipsec-tools/src/racoon/dump.c
crypto/dist/ipsec-tools/src/racoon/dump.h
crypto/dist/ipsec-tools/src/racoon/eaytest.c
crypto/dist/ipsec-tools/src/racoon/evt.c
crypto/dist/ipsec-tools/src/racoon/evt.h
crypto/dist/ipsec-tools/src/racoon/gcmalloc.h
crypto/dist/ipsec-tools/src/racoon/genlist.c
crypto/dist/ipsec-tools/src/racoon/genlist.h
crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c
crypto/dist/ipsec-tools/src/racoon/gnuc.h
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h
crypto/dist/ipsec-tools/src/racoon/gssapi.c
crypto/dist/ipsec-tools/src/racoon/gssapi.h
crypto/dist/ipsec-tools/src/racoon/handler.c
crypto/dist/ipsec-tools/src/racoon/handler.h
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
crypto/dist/ipsec-tools/src/racoon/isakmp.c
crypto/dist/ipsec-tools/src/racoon/isakmp.h
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
crypto/dist/ipsec-tools/src/racoon/isakmp_base.h
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h
crypto/dist/ipsec-tools/src/racoon/isakmp_newg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_newg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.h
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h
crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
crypto/dist/ipsec-tools/src/racoon/kmpstat.c
crypto/dist/ipsec-tools/src/racoon/localconf.c
crypto/dist/ipsec-tools/src/racoon/localconf.h
crypto/dist/ipsec-tools/src/racoon/logger.c
crypto/dist/ipsec-tools/src/racoon/logger.h
crypto/dist/ipsec-tools/src/racoon/main.c
crypto/dist/ipsec-tools/src/racoon/misc.c
crypto/dist/ipsec-tools/src/racoon/misc.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/boxes-fst.dat
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael_local.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.h
crypto/dist/ipsec-tools/src/racoon/missing/strdup.c
crypto/dist/ipsec-tools/src/racoon/nattraversal.c
crypto/dist/ipsec-tools/src/racoon/nattraversal.h
crypto/dist/ipsec-tools/src/racoon/netdb_dnssec.h
crypto/dist/ipsec-tools/src/racoon/oakley.c
crypto/dist/ipsec-tools/src/racoon/oakley.h
crypto/dist/ipsec-tools/src/racoon/pfkey.c
crypto/dist/ipsec-tools/src/racoon/pfkey.h
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
crypto/dist/ipsec-tools/src/racoon/plog.c
crypto/dist/ipsec-tools/src/racoon/plog.h
crypto/dist/ipsec-tools/src/racoon/policy.c
crypto/dist/ipsec-tools/src/racoon/policy.h
crypto/dist/ipsec-tools/src/racoon/privsep.c
crypto/dist/ipsec-tools/src/racoon/privsep.h
crypto/dist/ipsec-tools/src/racoon/proposal.c
crypto/dist/ipsec-tools/src/racoon/proposal.h
crypto/dist/ipsec-tools/src/racoon/prsa_par.y
crypto/dist/ipsec-tools/src/racoon/prsa_tok.l
crypto/dist/ipsec-tools/src/racoon/racoon.8
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
crypto/dist/ipsec-tools/src/racoon/racoonctl.8
crypto/dist/ipsec-tools/src/racoon/racoonctl.c
crypto/dist/ipsec-tools/src/racoon/racoonctl.h
crypto/dist/ipsec-tools/src/racoon/remoteconf.c
crypto/dist/ipsec-tools/src/racoon/remoteconf.h
crypto/dist/ipsec-tools/src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-00.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-01.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-02.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-03.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-04.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-05.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-06.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-07.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-nat-t-ike-08.txt
crypto/dist/ipsec-tools/src/racoon/rfc/draft-ietf-ipsec-udp-encaps-03.txt
crypto/dist/ipsec-tools/src/racoon/rfc/rfc2409.txt
crypto/dist/ipsec-tools/src/racoon/rfc/rfc3947.txt
crypto/dist/ipsec-tools/src/racoon/rfc/rfc3948.txt
crypto/dist/ipsec-tools/src/racoon/rsalist.c
crypto/dist/ipsec-tools/src/racoon/rsalist.h
crypto/dist/ipsec-tools/src/racoon/safefile.c
crypto/dist/ipsec-tools/src/racoon/safefile.h
crypto/dist/ipsec-tools/src/racoon/sainfo.c
crypto/dist/ipsec-tools/src/racoon/sainfo.h
crypto/dist/ipsec-tools/src/racoon/samples/.cvsignore
crypto/dist/ipsec-tools/src/racoon/samples/psk.txt.in
crypto/dist/ipsec-tools/src/racoon/samples/psk.txt.sample
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.in
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-gssapi
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-inherit
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-plainrsa
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/phase1-down.sh
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/phase1-up.sh
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/phase1-down.sh
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius
crypto/dist/ipsec-tools/src/racoon/schedule.c
crypto/dist/ipsec-tools/src/racoon/schedule.h
crypto/dist/ipsec-tools/src/racoon/session.c
crypto/dist/ipsec-tools/src/racoon/session.h
crypto/dist/ipsec-tools/src/racoon/sockmisc.c
crypto/dist/ipsec-tools/src/racoon/sockmisc.h
crypto/dist/ipsec-tools/src/racoon/stats.pl
crypto/dist/ipsec-tools/src/racoon/str2val.c
crypto/dist/ipsec-tools/src/racoon/str2val.h
crypto/dist/ipsec-tools/src/racoon/strnames.c
crypto/dist/ipsec-tools/src/racoon/strnames.h
crypto/dist/ipsec-tools/src/racoon/throttle.c
crypto/dist/ipsec-tools/src/racoon/throttle.h
crypto/dist/ipsec-tools/src/racoon/var.h
crypto/dist/ipsec-tools/src/racoon/vendorid.c
crypto/dist/ipsec-tools/src/racoon/vendorid.h
crypto/dist/ipsec-tools/src/racoon/vmbuf.c
crypto/dist/ipsec-tools/src/racoon/vmbuf.h
crypto/dist/ipsec-tools/src/setkey/.cvsignore
crypto/dist/ipsec-tools/src/setkey/Makefile.am
crypto/dist/ipsec-tools/src/setkey/parse.y
crypto/dist/ipsec-tools/src/setkey/sample-policy01.cf
crypto/dist/ipsec-tools/src/setkey/sample-policy02.cf
crypto/dist/ipsec-tools/src/setkey/sample.cf
crypto/dist/ipsec-tools/src/setkey/scriptdump.pl
crypto/dist/ipsec-tools/src/setkey/setkey.8
crypto/dist/ipsec-tools/src/setkey/setkey.c
crypto/dist/ipsec-tools/src/setkey/setkey.conf
crypto/dist/ipsec-tools/src/setkey/test-pfkey.c
crypto/dist/ipsec-tools/src/setkey/token.l
crypto/dist/ipsec-tools/src/setkey/vchar.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/.cvsignore	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,16 @@
+Makefile
+Makefile.in
+aclocal.m4
+autom4te*
+config.*
+configure
+depcomp
+install-sh
+ltmain.sh
+libtool
+missing
+ylwrap
+mkinstalldirs
+stamp-h*
+*.tar.gz
+package_version.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,1470 @@
+---------------------------------------------
+
+	Branch for 0.6 created (ipsec-tools-0_6-branch)
+
+2005-02-11  Emmanuel Dreyfus <manu@netbsd.org>
+
+	From Jason Thorpe  <thorpej@netbsd.org>
+	* src/raccon/samples/racoon.conf.sample-gssapi
+	  src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c}
+	  src/racoon/{localconf.c|localconf.h|racoon.conf.5}
+	  configure.ac: Multiple GSSAPI fixes to get interoperability 
+	  with Microsoft IKE. 
+
+2005-02-09  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
+	  src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h}
+	  src/racoon/racoon.conf.5: Make PAM work with privilege separation
+
+2005-02-07  Michal Ludvig  <michal@logix.cz>
+
+	From Krisztian Kovacs:
+	* src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
+
+2005-01-30  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/vmbuf.c.c: bugfix in vrealloc()
+	* src/racoon/oakley.c: mem leak fix in INITDHVAL()
+	* src/racoon/session.c: mem leak fix in check_flushsa()
+
+2005-01-29  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
+	* src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
+	* src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
+	* src/racoon/nattraversal.[ch]: NATT cleanup, support for all
+	  drafts (disabled by default) / RFC.
+	* src/racoon/isakmp.h: NATT cleanup for NATT RFC support
+	* src/racoon/ipsec_doi.h: updated comments about NATT
+	* configure.ac: enable-natt_XX options
+	* src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
+
+
+2005-01-29  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Fred Senault <fred@lacave.net>
+	* src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
+	  phase2 can start.
+
+2005-01-23  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
+	  SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.
+
+2005-01-22  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Fred Senault <fred@lacave.net>
+	* src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
+	  src/racoon/samples/roadwarrior/README: change "my_identifier login"
+	  into "xauth_login" in the config file so that we can introduce Xauth
+	  with a pre-shared key later.
+
+2005-01-21  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
+	  workaround Linux problems. This needs a better fix.
+
+2005-01-18  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/privsep.c: build without ENABLE_HYBRID
+
+2005-01-14  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)
+
+2005-01-13  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
+	  1 lifetime.
+	* src/racoon/racoon.conf.5: Updated racoon man page for phase 1
+	  lifetime check / proposal_check.
+
+2005-01-11  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakjmp_quick.c: endianness bugfix from KAME
+
+2005-01-07  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
+	  src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h}
+	  src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
+	  now configurable (supported only on NetBSD so far).
+
+2005-01-05  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/privsep.c: Build again on Linux with privsep
+
+2005-01-03  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
+	  src/racoon/{cfparse.y|cftoken.l|racoon.conf.5}
+	  src/racoon/doc/FAQ
+	  configure.ac: PAM support for authentication and accounting in 
+	  hybrid auth
+
+2005-01-02  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/admin.c: never fork, it buys nothing an break on some
+	  operations
+
+2004-12-30  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c}
+	  src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
+	  src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c}
+	  src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c}
+	  src/racoon/{privsep.c|privsep.h}: new files
+	  Privilege separation
+
+	* src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c}
+	  src/racoon/{racoonctl.c|racoonctl.h}: new files
+	  configure.ac: publically export the adminport interface so that
+	  external program can control racoon
+	
+	* src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface
+	  versionning
+
+	* src/racoon/admin.h: make sure no / will be missing in adminsock path
+
+---------------------------------------------
+
+	Branch for 0.5 created (ipsec-tools-0_5-branch)
+
+2004-12-23  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/crypto_openssl.c: Indentation
+
+2004-12-28  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
+	  when getting an IP (Bug # 1092095)
+
+
+2004-12-26  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/session.c: remove outdated comment
+
+---------------------------------------------
+
+	0.5.beta2 released
+
+2004-12-21  Michal Ludvig  <michal@logix.cz>
+
+	* src/racoon/pfkey.c: Fix AES vs Rijndael defines.
+
+2004-12-20  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
+	  Some FreeBSD / NATT support.
+
+2004-12-17  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
+	* src/racoon/pfkey.c: Restore AES support on NetBSD.
+
+2004-12-17  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/crypto_openssl.c: Uses sprintf() instead of
+	  asprintf() in eay_get_x509subjectaltname(), because of some
+	  compilation problems reported with asprintf() on some platforms.
+	* src/racoon/oakley.c: just take the first cert in
+	  oakley_savecert() if cert ID check is disabled.
+
+2004-12-16  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/crypto_openssl.c: Build again on NetBSD
+	* src/racoon/samples/roadwarrior/server/racoon
+	  src/racoon/samples/roadwarrior/server/racoon.conf-radius
+	  src/racoon/samples/roadwarrior/README: Use DPD in sample files.
+
+2004-12-16  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
+	  when SubjectAltName contains an IP. OpenSSL code from Ludovic
+	  Flament (ludovic.flament@free.fr).
+
+---------------------------------------------
+
+	0.5.beta1 released
+
+2004-12-13  Michal Ludvig  <mludvig@suse.cz>
+
+	From Ganesan R <rganesan@users.sourceforge.net>:
+	* src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
+	  with shared libraries.
+
+2004-12-10  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/oakley.c: takes the first certificate which matches
+	  the Identity, instead of just taking the first certificate.
+
+2004-12-07  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
+
+2004-12-04  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/libipsec/pfkey_dump.c: distinguish per-socket policies from
+	  general ones (Linux case);
+	* src/racoon/pfkey.c: dito, do not negotiate policies if racoon
+	  do not listen on out tunnel's source address.
+
+2004-12-01  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
+	  generation in r1send()
+
+2004-12-01  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
+	* src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
+	  parameters but compiled without ENABLE_DPD
+	* src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
+	  support activated in configuration
+
+2004-11-30  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time, 
+	  to avoid garbage pointer if admin port is disabled.
+	* src/racoon/{throttle.c|throttle.h}: new files
+	  src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
+	  configure.ac: Add a per-host throttling count. When throttling, 
+	  don't sleep, schedule the answer for later instead.
+	* src/racoon/kmpstat.c: default with no hexdump of the packet
+	* src/racoon/admin.c: don't remove admin socket after first request,
+	  on the other hand remove on startup stale sockets left by 
+	  crashed racoon.
+	*  src/racoon/samples/roadwarrior/README
+	   src/racoon/kmpstat.c: fix option parsing problem on Linux
+
+2004-11-29  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/session.c: Only listen on pfkey socket when received
+	  shutdown signal
+
+2004-11-28  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+	  src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
+	  on each Xauth authentication to avoid brute force attacks
+
+2004-11-24  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/samples/roadwarrior/README
+	  src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
+	  src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
+	  src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
+	  Fill Linux gaps for hybrid auth client, Replace public IP by 
+	  private and example IP in the sample config files.
+
+2004-11-24  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	DPD patch from Yvan Vanhullebus <vanhu@free.fr>
+	* src/racoon/cfparse.y: missing bits for DPD support
+
+2004-11-23  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/setkey/parse.y: generate require fwd policies for unique in
+	  policies.
+	* src/setkey/setkey.c: made -r/-k options awailable only when
+	  system has FWD policies.
+	* src/setkey/setkey.8: updated docs about change above.
+
+2004-11-22  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
+	  #ifdef ENABLE_ADMINPORT/#endif.
+
+2004-11-22  Michal Ludvig  <mludvig@suse.cz>
+
+	Revert these changes (ludvigm, 2004-11-18):
+	* src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
+	* src/setkey/Makefile.am: Install setkey.conf.
+
+2004-11-22  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
+	  removal so that it's not used after been deleted.
+	* src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
+	  src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
+	  errors to racoonctl
+
+2004-11-21  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on 
+	  the ipsec-tools web site
+	* src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to 
+	  display all events reported by racoon: show-event
+	* src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
+	  with immature or dying phase 1 
+	* src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
+
+2004-11-20  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself 
+	  as Unity compliant.
+	* src/racoon/{evt.c|evt.h}: new files 
+	  src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
+	  src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
+	  event reporting from racoon to racoonctl
+
+2004-11-20  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
+	  when racoon is compiled with INET6 support and kernel is not.
+	  Fixed with help of Zilvinas Valinskas.
+	* src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
+	  problem.
+	
+2004-11-19  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/doc/FAQ: more options and warn about software patents.
+
+2004-11-18  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/vmbuf.c: don't allocate zero-length buffer
+	* src/racoon/samples/roadwarrior/client/phase1-down.sh
+	  src/racoon/samples/roadwarrior/server/phase1-down.sh: Also 
+	  flush SAD when disconnecting.
+	* src/racoon/admin.c: Send a notification when deleting ISAKMP SA
+	* src/racoon/samples/roadwarrior/README: accomodate the recent
+	  sysconfdir change
+
+2004-11-18  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/Makefile.am: Fix adminsocket dir, install sample 
+	  racoon.conf and psk.txt.
+	* src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
+	  not $(SYSCONFDIR)/racoon.
+	* src/racoon/algorithm.h, src/racoon/eaytest.c,
+	  src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really 
+	  strict environments.
+	* src/setkey/setkey.conf: Yet another sample config file.
+	* src/setkey/Makefile.am: Install setkey.conf.
+	* rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
+	  files.
+	* rpm/suse/{Makefile.am,.cvsignore}: New files.
+	* configure.ac, rpm/Makefile.am: Build in rpm/suse.
+
+2004-11-17  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* configure.ac: paste bugfix by Zilvinas Valinskas
+	* src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
+	  for generated policies. Path by Patrick McHardy.
+
+2004-11-16  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/racoonctl.8: racoonctl man page (new file)
+
+2004-11-16  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Ganesan <rganesan@users.sourceforge.net>
+	* src/racoon/ipsec_doi.c: fix free'd memory access
+
+2004-11-16  Michal Ludvig  <mludvig@suse.cz>
+
+	DPD patch from Yvan Vanhullebus <vanhu@free.fr>
+	* configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
+	  src/racoon/handler.c, src/racoon/handler.h,
+	  src/racoon/isakmp.c, src/racoon/isakmp.h,
+	  src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
+	  src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
+	  src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
+	  src/racoon/remoteconf.h, src/racoon/vendorid.c,
+	  src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
+
+2004-11-16  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Remove a bash-specific construction, take II.
+	* src/racoon/grabmyaddr.c: FreeBSD fix for headers.
+
+2004-11-15  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Use correct include paths during ./configure run.
+	* src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
+	  remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
+	  (hint, hint, manu :-))
+
+2004-11-15  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* README: update the docs
+	* src/racoon/doc/FAQ: update the docs
+	* configure.ac: Remove a bash-specific construction
+
+2004-11-14  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/cfparse.y: ensure that returns from rules are 
+	  initialized even on erroneous config file.
+	* src/racoon/admin_var.h: changed management socket location
+	* src/racoon/Makefile.am: ditto, added rule to install directory
+	  for management socket.
+	* src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes, 
+	  added generation of fwd policies for every in policy spdadd'ed.
+	* src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
+	* src/setkey/policy_token.l: return something reasonable when 
+	  fwd direction is parsed on systems with no forward policy
+	  support.
+
+2004-11-14  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
+	* src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
+	  src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings 
+	* configure.ac src/racoon/{admin.c|admin_var.h}
+	  src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
+	  src/racoon/samples/roadwarrior/client/racoon.conf: make the default
+	  mode for the admin socket more secure. 
+
+2004-11-13  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
+	  src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
+	  src/racoon/samples/roadwarrior/README
+	  src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
+	  certificate authority location per-peer and configurable.
+	* src/racoon/isakmp_frag.c: fix unallocated memory access
+	* src/racoon/isakmp_agg.c: fix incorrect queue deallocation
+	* src/racoon/remoteconf.c: fix uninitialized data
+	* src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
+
+2004-11-12  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd 
+	  commands IPv6 friendly.
+	* src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}: 
+	  Add an admin message to flush all the SA for a given peer.
+	  Convert racoonctl vd to use it.
+	* src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y} 
+	  src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
+	  administrator to choose the admin socket path, ownership and mode.
+	* src/racoon/sample/roadwarrior: complete config files for 
+	  road warriors using hybrid authentication. 
+
+2004-11-12  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Config option --enable-natt=kernel
+	* src/racoon/Makefile.am: Distribute only yacc/lex source files, 
+	  not the preprocessed .c files.
+
+2004-11-11  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
+	  and comments in the VPN concentrator setup for the Cisco VPN client
+	* src/racoon/racoon.conf.5: fix documentation
+	* src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
+	  hooks event if we are a server.
+
+2004-11-10  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
+
+2004-11-09  Michal Ludvig  <mludvig@suse.cz>
+
+	* Makefile.am: Remove aclocal-related lines.
+	* src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
+	* configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
+	  better handling of KRB5 and NAT-T.
+	* src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
+	  FreeBSD happy with includes (Arrgh...&^#$^@!!!)
+
+2004-11-08  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
+	* src/libipsec/policy_token.l, src/racoon/kmpstat.c,
+	  src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
+	  fixes to support FreeBSD (tested with 4.10).
+
+2004-11-05  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Add --with-readline switch.
+	* src/setkey/setkey.c(stdin_loop): Fix newlines and comments
+	  when compiled without readline.
+
+2004-11-01  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/isakmp_quick.c: generated policy refresh patch
+	  by Yvan Vanhullebus
+
+2004-10-29  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Check for IPSEC_DIR_FWD and eventually define
+	  HAVE_POLICY_FWD.
+	* src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use 
+	  HAVE_POLICY_FWD in ifdefs.
+	* NEWS: Mention the fix.
+	* src/racoon/kmpstat.c: Fix compilation on Linux.
+	* src/racoon/ipsec_doi.h: Ditto.
+	* src/racoon/Makefile.am, src/setkey/Makefile.am: Update
+	  explicit dependencies.
+
+2004-10-29  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
+	  do not reconfigure internal addresses obtained through ISAKMP
+	  mode config.
+	* src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
+	  failure, kill the phase 1 and log the failure. Do not run the sa_up
+	  script in this case.
+	* src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
+	  Add -u user to racoonctl establish-sa, prompt for the PSK from
+	  the terminal, and add a vpn-connect target with simplified syntax 
+	  for establishing a SA in the road warrior case.
+	* src/racoon/{admin.c,kmpstat.c}: implement delete-sa and 
+	  vpn-disconnect commands of racoonctl
+	* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
+	  src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
+	  Remove sa_up and sa_down and replace them by a more general
+	  script hook framework. 
+
+2004-10-27  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/nattraversal.c: Use macros instead of magic numbers
+	* src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
+	  can actually establish a SA
+	* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
+	  src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
+	  Shell script hooks for ISAKMP SA creation and removal
+
+2004-10-26  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
+	  src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
+	  src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
+	  src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
+	  Update to the latest drafts
+
+2004-10-25  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	*  src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
+	   src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
+	   src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
+	   drafts documenting ISAKMP mode config, Xauth and hybrid auth
+	*  src/racoon/cftoken.l: fix build problem, add an error message
+	   when using hybrid auth options while hybrid auth is not built
+	*  src/racoon/isakmp_cfg.c: build without RADIUS support too
+
+2004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
+	  src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
+	  src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
+	  src/racoon/{oakley.c,oakley.h,racoon.conf.5}
+	  src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
+	  of hybrid auth and ISAKMP mode config
+
+2004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
+	  src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
+	  src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
+	  Receiver-side of IKE fragmentation
+
+2004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp_cfg.c: Fix read buffer overflow
+	* src/racoon/isakmp_xauth.c: Fix weak authentication
+	* src/racoon/{oakley.c,oakley.h}: Fix weak authentication
+
+2004-10-21  Michal Ludvig  <mludvig@suse.cz>
+
+	From Emmanuel Dreyfus:
+	* src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
+	* src/racoon/isakmp_cfg.c: Fix endianness.
+
+2004-10-20  Michal Ludvig  <mludvig@suse.cz>
+
+	From Emmanuel Dreyfus:
+	* src/racoon/{cfparse.y,cftoken.l,handler.c},
+	  src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
+	  src/racoon/racoon.conf.5: RADIUS IP addresses allocation 
+	  and RADIUS accounting.
+	* configure.ac,
+	  src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
+	  src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
+	  src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
+
+2004-10-08  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
+
+2004-10-06  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
+	  to duplicate dynamically allocatd structures; duprmconf() - call
+	  these functions to produce private copy of inherited id and etype
+	  structures.
+	* src/racoon/remoteconf.c: declaration for dupetypes().
+
+2004-10-04  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/cfparse.y: check inherited_from dereferencing
+	* src/racoon/crypto_openssl.c: prevent crash on incorect DNs
+
+2004-09-27  Michal Ludvig  <mludvig@suse.cz>
+
+	From KOVACS Krisztian <hidden@balabit.hu>:
+	* src/racoon/sockmisc.c(sendfromto): Set src address.
+
+2004-09-24  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* configure.ac: added check for linux-gnu, as my box reports
+	* src/racoon/grabmyaddr.c: added missing <linux/types.h> include
+
+2004-09-21  Michal Ludvig  <mludvig@suse.cz>
+
+	Merged 'autoconf' branch to mainline:
+	* .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
+	  src/racoon/.cvsignore, src/racoon/cfparse.y, 
+	  src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, 
+	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 
+	  src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 
+	  src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c, 
+	  src/racoon/isakmp_unity.c, src/racoon/main.c, 
+	  src/racoon/nattraversal.c, src/racoon/oakley.c, 
+	  src/racoon/oakley.h, src/racoon/sockmisc.c, 
+	  src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
+	  in 'autoconf' branch for details).
+	* acracoon.m4, src/racoon/Makefile.am: New files.
+	* src/racoon/Makefile.in, src/racoon/aclocal.m4, 
+	  src/racoon/client-puzzle.c, src/racoon/config.guess, 
+	  src/racoon/config.sub, src/racoon/configure.in, 
+	  src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp, 
+	  src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp, 
+	  src/racoon/doc/pattern, src/racoon/doc/question, 
+	  src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt, 
+	  src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en, 
+	  src/racoon/doc/sandiego-result.jp, 
+	  src/racoon/doc/sandiego0009-result.en, 
+	  src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c, 
+	  src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile, 
+	  src/racoon/samples/sandiego.pl: Removed.
+
+2004-09-17  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/vendorid.[ch]: Rewrote the VendorID handling. 
+	  We don't use the array with fixed offsets anymore, instead 
+	  a generally unordered structure with ID, string and 
+	  precomputed MD5 hashes.
+	* src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
+	  src/racoon/nattraversal.c: Updated to the new VID model.
+	* src/racoon/main.c(main): Precompute VendorIDs.
+	* src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
+	  Files removed. Function arc4random() renamed to eay_random()
+	  and moved to crypto_openssl.c.
+	* src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
+	  src/racoon/isakmp.c: Updated to the above change.
+	* src/racoon/Makefile.in, src/racoon/configure.in: Remove
+	  arc4random() from building.
+	* src/racoon/crypto_openssl.[ch](eay_random): New function.
+	* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, 
+	  src/racoon/isakmp_xauth.c: Cleaned up headers.
+
+2004-09-16  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/crypto_openssl.c (base64_encode): Terminate
+	  the result with '\0'.
+
+2004-09-15  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: How about calling the next version 0.5?
+	* src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
+	  _BSD_SOURCE and don't require <linux/types.h>
+	* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
+	  src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
+	* src/racoon/Makefile.in: Add new files to distribution.
+	* src/racoon/configure.in: Fix linux kernel NATT detection.
+	* src/setkey/parse.y: Fix types.
+	* src/racoon/backupsa.c, src/racoon/ipsec_doi.c, 
+	  src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
+	  src/racoon/pfkey.c, src/racoon/remoteconf.c,
+	  src/racoon/session.c, src/racoon/sockmisc.c: Fix headers 
+	  ordering, use HAVE_NETINET6_IPSEC.
+	* src/racoon/isakmp_cfg.c: Use %z for size_t.
+	* src/racoon/configure.in: Clean up IPv6 stack check.
+
+2004-09-15  Michal Ludvig  <mludvig@suse.cz>
+
+	Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
+	* src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
+	  src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
+	  src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
+	  src/racoon/samples/racoon.conf.sample-cvpn: New files.
+	* src/racoon/algorithm.c, src/racoon/algorithm.h,
+	  src/racoon/cfparse.y, src/racoon/cftoken.l,
+	  src/racoon/handler.c, src/racoon/handler.h,
+	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
+	  src/racoon/isakmp.h, src/racoon/isakmp_agg.c, 
+	  src/racoon/isakmp_inf.c, src/racoon/oakley.c,
+	  src/racoon/oakley.h, src/racoon/strnames.c,
+	  src/racoon/vendorid.c, src/racoon/vendorid.h: Added
+	  code for XAUTH support.
+	* src/racoon/racoon.conf.5: Documentation for XAUTH.
+	* src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
+	  src/racoon/nattraversal.c: Added NATT VID "02\n"
+	* src/racoon/configure.in: New config option --enable-hybrid
+
+2004-09-14  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Preset CFLAGS
+	* src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
+	  Check if printf() accepts "%z" modifiers.
+	* src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
+	* src/setkey/parse.y(fix_portstr): Init 'p2'.
+	* src/setkey/setkey.c: Add required prototypes.
+
+2004-09-14  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
+
+2004-09-14  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
+
+2004-09-13  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/configure.in: Check for <openssl/engine.h>
+	* src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
+	* src/racoon/plainrsa-gen.c: Ditto.
+
+2004-09-13  Michal Ludvig  <mludvig@suse.cz>
+
+	NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
+	* Makefile.am: build in rpm/ only on Linux
+	* configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
+	* src/Makefile.am: Build include-glibc only on Linux
+	* src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
+	  ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
+	  policy_parse.y,policy_token.l,test-policy-priority.c},
+	  src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
+	  nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
+	  proposal.c,sainfo.c,schedule.c,strnames.c},
+	  src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
+	  ifdefs.
+	* src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
+	* src/racoon/configure.in: Check for kernel NAT-T support,
+	  fix libipsec.a linkage path.
+	* src/racoon/eaytest.c(certtest): Use %z for size_t.
+	
+2004-09-12  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/grabmyaddr.c: improoved socket selection algorithm for
+	  case when link-local addresses comes w/o sin6_scope_id set.
+	  
+2004-09-07  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/session.c: fix for SIGHUP handler for case when config
+	  file contains listen directives.
+
+2004-09-01  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/grabmyaddr.c: added scope id handling for link-local
+	  IPv6 addresses. Now racoon will not err on such addresses.
+	  
+2004-08-19  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
+	* src/racoon/eaytest.c: eay_init_error() -> eay_init() due to 
+	  2004-06-01 changes in src/racoon/crypto_openssl.c
+
+2004-08-15  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/cfparse.y src/racoon/crypto_openssl.c
+	  src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
+	  src/racoon/racoon.conf.5 src/racoon/remoteconf.c
+	  src/racoon/remoteconf.h: peers_identifier wildcard and 
+	  list patch by James Matheson
+
+---------------------------------------------
+
+	0.4rc1 released
+
+2004-08-09  Michal Ludvig  <mludvig@suse.cz>
+
+	* NEWS: Notes for release 0.4rc1
+	* configure.ac: Bump up version to 0.4rc1
+
+2004-07-12  Michal Ludvig  <mludvig@suse.cz>
+
+	PlainRSA support.
+	See ChangeLog.prsa from the 'plainrsa' branch for details.
+	* src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
+	* src/racoon/genlist.c src/racoon/genlist.h 
+	  src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c 
+	  src/racoon/prsa_par.y src/racoon/prsa_tok.l 
+	  src/racoon/rsalist.c src/racoon/rsalist.h 
+	  src/racoon/samples/racoon.conf.sample-plainrsa: New files.
+	* src/racoon/Makefile.in src/racoon/configure.in
+	  src/racoon/cfparse.y src/racoon/cftoken.l 
+	  src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
+	  src/racoon/handler.h src/racoon/ipsec_doi.c 
+	  src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c 
+	  src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c 
+	  src/racoon/remoteconf.h src/racoon/sockmisc.c 
+	  src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
+
+2004-07-12  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
+	  f_foreground to plog.c.
+	* src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode 
+	  adjusting.
+	* src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
+	  src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
+
+2004-06-16  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/crypto_openssl.c (eay_get_x509cert): small memory 
+	  leak fix. Noticed B.Buesker, patch L.Stellingwerff
+	* src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt): 
+	  small memory leaks fixed.
+
+2004-06-15  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	SECURITY
+	* src/racoon/crypto_openssl.[ch] (cb_check_cert_local, 
+	  cb_check_cert_remote): split cb_check_cert() due to stricter
+	  requirements for certificates received from network.
+	* src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
+	  local to specify how strict cert check should be
+	* src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
+	
+2004-06-11  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support 
+	  for all known NAT-T versions.
+	* vendorid.h: Ditto.
+
+2004-06-08  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
+	* src/racoon/Makefile.in: Compile stringlist.o.
+
+2004-06-07  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Set version to 'cvs'.
+	* src/{racoon,setkey,libipsec}/*.h: Wrap headers between
+	  #ifndef/#define/#endif to allow multiple inclusions of the
+	  same file.
+	* plog.h (plog): Attribute __printf__ for automatic checking 
+	  of the parameters' validity.
+	* cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
+	  isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
+	  sockmisc.c: Fix warnings/errors in the plog() parameters with 
+	  the above change.
+
+2004-06-05  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/setkey/setkey.c: -n (no action) support. 
+	  Thanks Thomas Habets.
+	* src/setkey/setkey.8: Documentation for above.
+	* src/racoon/doc/README.certificate: updated link to more recent
+	  version of document. Debian bug #252513 by Jose Luis Domingo Lopez
+
+2004-06-01  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/algorithm.c: Enable compilation without SHA2 support.
+	* src/racoon/crypto_openssl.c: Ditto.
+
+2004-06-01  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
+	  OpenSSLs.
+	  (eay_init): New function.
+	  (eay_init_error, eay_check_pkcs7sign): Removed.
+	* src/racoon/crypto_openssl.h: Reflect the above changes.
+	* src/racoon/main.c: Call eay_init() instead of eay_init_error().
+
+2004-05-27  Michal Ludvig  <mludvig@suse.cz>
+
+	Support for inheritance of 'remote' statements:
+	* src/racoon/cftoken.l: New keyword 'inherit'.
+	* src/racoon/cfparse.y: Support for 'inherit', remove
+	  global 'prhead', use cur_rmconf->prhead instead.
+	* src/racoon/remoteconf.c (rmtree): Changed from
+	  LIST queue to TAILQ queue.
+	  (getrmconf): Renamed to getrmconf_strict().
+	  (copyrmconf, duprmconf)
+	  (dump_rmconf_single, dumprmconf): New functions.
+	  (rm2str): Deleted.
+	* src/racoon/remoteconf.h: Prototypes for the above.
+	  (struct remoteconf): New fields 'inherited_from' and 'prhead'.
+	* src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
+	* src/racoon/algorithm.c (alg_oakley_encdef_name)
+	  (alg_oakley_hashdef_name, alg_oakley_dhdef_name)
+	  (alg_oakley_authdef_name): New functions.
+	* src/racoon/algorithm.h: Prototpes for the above.
+	* src/racoon/strnames.c (num2str): Make extern.
+	  (s_doi, s_etype, s_idtype, s_switch): New functions.
+	* src/racoon/strnames.h: Prototpes for the above.
+	* src/racoon/main.c: New parameter -C for dumping the parsed config.
+	* src/racoon/racoon.conf.5: Document inheritance.
+	* src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
+	* src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
+
+2004-05-24  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c, 
+	isakmp_quick.c, pfkey.c, remoteconf.c, session.c, 
+	sockmisc.c: Allow compilation with --disable-ipv6
+	
+2004-05-21  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of 
+	  algorithm specific functions.
+
+2004-05-20  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	Manual page updates. Thanks Brian
+	* src/libipsec/ipsec_set_policy.3
+	* src/setkey/setkey.8
+	* src/libipsec/test-policy-priority.c: new file from policy 
+	  priority patch, which I forgot to add
+
+2004-05-18  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	Policy priority integer handling fixes by Brian Buesker.
+	* src/libipsec/ipsec_strerror.c
+	* src/libipsec/ipsec_strerror.h
+	* src/libipsec/libpfkey.h
+	* src/libipsec/policy_parse.y
+	* src/libipsec/test-policy-priority.c
+	Manual page corrections by me
+	* src/libipsec/ipsec_set_policy.3
+	* src/setkey/setkey.8
+
+2004-05-15  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	Policy priority support patch from Brian Buesker. Applied as is
+	except src/libipsec/Makefile.am is modified instead of 
+	src/libipsec/Makefile.in as found in the patch.
+
+2004-05-10  Michal Ludvig  <mludvig@suse.cz>
+
+	From Heiko Hund, approved by the copyright holder:
+	* src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
+	
+2004-04-27  Michal Ludvig  <mludvig@suse.cz>
+
+	From Heiko Hund:
+	* src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
+
+2004-04-26  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to 
+	  send notifications about changed interfaces.
+	  
+2004-04-24  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
+	  information about interfaces. Thanks Steve Grubb and Bill
+	  Nottingham. Affects users with glibc w/o getifaddrs(). Users 
+	  with glibc earlier than 2003-11-14 should upgrade their glibc.
+
+2004-04-19  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/isakmp.c (isakmp_handler): Reject too big 
+	  packets (CAN-2004-0403).
+
+---------------------------------------------
+
+	0.3 released
+
+2004-04-14  Michal Ludvig  <mludvig@suse.cz>
+
+	* NEWS: Notes for release 0.3
+	* configure.ac: Bump up version to 0.3
+	* src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
+	* src/racoon/remoteconf.c (foreachrmconf): Avoid warning about 
+	  uninitialised variable.
+	* src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
+	  and FreeSWAN.
+
+2004-04-13  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
+	  not suitable.
+
+2004-04-09  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
+	* src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
+	* src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
+	  mismatch to LLV_WARNING.
+	* src/libipsec/pfkey_dump.c, src/racoon/algorithm.c 
+	  src/racoon/algorithm.h src/racoon/cftoken.l 
+	  src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h 
+	  src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c 
+	  src/setkey/token.l: Renamed Rijndael to AES.
+	* src/setkey/token.l: Recognize exit/quit/bye tokens.
+	* src/setkey/parse.y (exit_command): New.
+	* src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
+	  in exit_command.
+
+2004-04-08  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/setkey/setkey.c (main): Call get_supported() in interactive mode.
+	  (stdin_loop): Concat multiline input into a single line before parsing.
+
+2004-04-07  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA 
+	  with level DEBUG. Having it with level INFO only pollutes logfiles.
+
+2004-04-06  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/Makefile.in: eaytest now links plog.o
+	* src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
+	  surrounding plog().
+	* src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now 
+	  verifying both good and bad signatures.
+
+---------------------------------------------
+
+	0.3rc5 released
+
+2004-04-05  Michal Ludvig  <mludvig@suse.cz>
+
+	* NEWS: Notes for release 0.3rc5
+	* configure.ac: Bump up version to 0.3rc5
+
+2004-04-05  Michal Ludvig  <mludvig@suse.cz>
+
+	Fix for a security bug found by Ralf Spenneberg:
+	* src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate 
+	  'evp' instead of 'pubkey'.
+	  (eay_rsa_sign): Use the above.
+	* src/racoon/crypto_openssl.h: Update prototypes for the above.
+	* src/racoon/eaytest.c: Disabled RSA tests because of the API change.
+
+2004-04-05  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/pfkey.c (pfkey_handler): Safety check before accessing 
+	  the array (thx to Ren.J.Y for report).
+	  (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
+	* src/racoon/strnames.c (name_pfkey_type): Ditto.
+
+2004-04-02  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/eaytest.c (ciphertest_1): Correct padlen.
+
+2004-04-01  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
+	  update from here ...
+	  (ipsecdoi_setph2proposal): ... to here. Hopefully this is a 
+	  better place to do the update.
+
+2004-03-30  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
+	  (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
+	* src/racoon/eaytest.c (ciphertest_1): New function.
+	  (ciphertest): Simplified to simple calls of ciphertest_1().
+
+2004-03-29  Michal Ludvig  <mludvig@suse.cz>
+
+	* README: Rewritten. Mentioned where to report bugs.
+
+2004-03-26  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Check for readline.h and libreadline.
+	* src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
+	  (stdin_loop): Read user input and parse it line-by-line.
+	* src/setkey/token.l (parse_string): New function.
+
+---------------------------------------------
+
+	0.3rc4 released
+
+2004-03-25  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Bump up version to 0.3rc4
+	* NEWS: Notes for release 0.3rc4
+	* src/racoon/cfparse.y (algorithm): Hint about missing module.
+	* src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key 
+	  length only with old API.
+	  (eay_des_encrypt): Ditto.
+	* src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
+	  non-zero error code if any of the tests fail.
+	  (main): Print banner with version.
+	* src/racoon/Makefile.in: Run eaytest in 'make check'.
+
+2004-03-23  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before 
+	  comparing NAT-D payloads. (thx to Gaurav Kansal for report).
+	* src/racoon/crypto_openssl.c: Avoid type-punned warnings.
+	* src/racoon/eaytest.c: Disable 'cert' tests.
+	* src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check 
+	  for strict length.
+	  (eay_aes_encrypt): Keylength is in bits, not bytes.
+
+2004-03-22  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key 
+	  instead of NULL and check for availability.
+
+---------------------------------------------
+
+	0.3rc3 released
+
+2004-03-19  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Bump up version to 0.3rc3
+	* NEWS: Notes for release 0.3rc3
+	* src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
+	* src/racoon/proposal.c (cmpsatrns): New parameter proto_id, 
+	  better diagnostic output when trns_id don't match.
+	* src/racoon/proposal.h (cmpsatrns): Update prototype.
+	* src/setkey/setkey.c: Change option -h to -H (for hexdump), new
+	  options -h (help) and -V (version).
+	* src/setkey/setkey.8: Document the above changes.
+	* src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
+
+2004-03-15  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/configure.in: Prevent compilation error with
+	  --enable-yydebug.
+
+---------------------------------------------
+
+	0.3rc2 released
+
+2004-03-11  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Bump up version to 0.3rc2
+	* NEWS: Notes for release 0.3rc2
+	* src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
+	* src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
+	* src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
+	* src/racoon/racoon.conf.5: Note that NAT-T support is a compile 
+	  time option.
+
+2004-03-10  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/racoon.conf.5: Document nat_traversal option.
+	* src/racoon/racoon.8: DOcument new options (-L and -P).
+
+2004-03-09  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
+	  UDP-Encap ports if NAT-T is enabled.
+	  (dupmyaddr): New function.
+	* src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
+	* src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but 
+	  no port for UDP-Encap was open.
+	* src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
+	* src/racoon/localconf.c, src/racoon/localconf.h: Define and setup 
+	  lcconf->port_isakmp_natt.
+	* src/racoon/main.c (main): Print nicer banner,
+	  (usage): Document new options (-L and -P).
+	  (parse): Recognise the above.
+	* src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded 
+	  constants for float_port.
+	  (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
+	* src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
+	* src/racoon/plog.c: Don't print source:line:function by default.
+	* src/racoon/remoteconf.c (foreachrmconf): New helper function.
+	* src/racoon/remoteconf.h: Prototype for the above.
+	* package_version.h: Define strings for use in banners.
+	* configure.ac: Fill up the above header.
+
+2004-03-09  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/configure.in: Don't put -O into OPTFLAGS,
+	  add new option --disable-natt.
+	* src/racoon/cfparse.y, src/racoon/handler.c,
+	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
+	  src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
+	  src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
+	  src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
+	  with ENABLE_NATT.
+	* src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
+
+2004-03-06  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* configure.ac: Refuse to continue if lexer library (yywrap() 
+	  function) is missing. Should prevent bugs like #892067, #908758
+	* src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
+	  Users should not be given false idea that they require both OpenSSL
+	  and SSLeay to compile racoon. (See bug #902197)
+
+---------------------------------------------
+
+	0.3rc1 released
+
+2004-03-04  Michal Ludvig  <mludvig@suse.cz>
+
+	* configure.ac: Bump up version to 0.3rc1
+	* NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
+	  from 0.2 branch).
+	* src/racoon/samples/racoon.conf.sample-natt: New sample config file.
+	* src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
+	  enabled NATT by default (will become a config option later).
+
+2004-03-04  Michal Ludvig  <mludvig@suse.cz>
+
+	Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
+	to racoon.
+	* src/racoon/Makefile.in, src/racoon/cfparse.y,
+	  src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
+	  src/racoon/grabmyaddr.h, src/racoon/handler.c,
+	  src/racoon/handler.h, src/racoon/ipsec_doi.c,
+	  src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
+	  src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
+	  src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
+	  src/racoon/localconf.c, src/racoon/localconf.h,
+	  src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
+	  src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
+	  src/racoon/remoteconf.h, src/racoon/session.c,
+	  src/racoon/strnames.c, src/racoon/vendorid.h
+	  src/libipsec/pfkey.c,
+	  src/racoon/nattraversal.c, src/racoon/nattraversal.h,
+	  src/racoon/sockmisc.c: Affected files.
+
+2004-02-27  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/isakmp.c (set_isakmp_header1): Renamed from
+	  set_isakmp_header().
+	  (set_isakmp_header): New function common for set_isakmp_header1() 
+	  and set_isakmp_header2().
+	  (copy_ph1addresses): Obey original port.
+	  (isakmp_plist_append, isakmp_plist_set_all): New helper functions.
+	* src/racoon/isakmp_var.h: Prototypes for the above.
+	* src/racoon/isakmp.h (struct payload_list): New structure.
+	* src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 
+	  src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
+
+2004-02-03  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/Makefile.in: Fix install to $(sbindir)
+	* src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
+
+2004-01-19  Michal Ludvig  <mludvig@suse.cz>
+
+	* rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
+	  (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
+
+2004-01-17  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
+
+2004-01-15  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
+	(reported on bugtraq, fixed by iij seil team).
+	* src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
+
+2004-01-14  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used 
+	only once).
+	* configure.ac: Don't build shared libipsec by default (can be
+	enabled by --enable-shared).
+	* bootstrap: Don't run automake for racoon.
+
+2004-01-12  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
+	  use config.h for defines instead of -DHAVE_* gcc options,
+	  fix CRYPTOBJS to include missing rijndael libraries only once, 
+	  checking for AES support in OpenSSL now (hopefully) finally 
+	  works on both OpenSSL 0.9.6 and 0.9.7.
+	* src/racoon/*.[cyl]: Include autogenerated "config.h"
+	* src/racoon/missing/crypto/*/*.c: Ditto.
+	* src/racoon/.cvsignore: Add config.h, config.h.in
+
+2004-01-09  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
+
+2004-01-09  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	Sync with KAME 2004-01-07
+	* src/libipsec/pfkey.c: memory leak fix; comment typo fixes
+	* src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even 
+	  no SADB_X_EXT_TAG defined
+	* src/libipsec/pfkey_dump.c: information about algorithms 
+	  ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
+	* src/libipsec/policy_parse.y: memory leak
+	* src/libipsec/policy_token.l: memory leak
+	* src/libipsec/test-policy.c: unneeded \n removed
+	* src/racoon/Makefile.in: $(sbindir) support
+	* src/racoon/admin.c: interface changes due to proxy support 
+	* src/racoon/algorithm.c: SHA2 #ifdefs
+	* src/racoon/{cfparse.y,cftoken.l}: license text added
+	* src/racoon/cfparse.y: mip6 obsoleted by proxy support
+	* src/racoon/cfparse.y: from directive support; new algorithms
+	* src/racoon/cftoken.l: support for globbing of include files
+	* src/racoon/configure.in: more verbose information about problems 
+	  with SHA2
+	* src/racoon/crypto_openssl.c: use new DES API if supported; algorithm 
+	  key size fixes
+	* src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
+	* src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
+	  style change
+	* src/racoon/isakmp.c: use VPTRINIT; interface changes due to
+	  mip6->proxy; typo
+	* src/racoon/isakmp_inf.c: use VPTRINIT
+	* src/racoon/isakmp_quick.c: mip6->proxy
+	* src/racoon/kmpstat.c: not used variables removed
+	* src/racoon/pfkey.c: mip6->proxy; schedule leak
+	* src/racoon/proposal.c: style
+	* src/racoon/remoteconf.c: mip6->proxy
+	* src/racoon/sainfo.c: from directive support
+	* src/racoon/sockmisc.c: side correction; addrinfo leak
+	* src/racoon/strnames.c: typo in descriptions; wrong upper bound check
+	* src/racoon/missing/crypto/sha2/sha2.c: wrong size
+	* src/setkey/parse.y: extra algorithms; tagged; not needed periods
+	  removed; memory shortage checks
+	* src/setkey/setkey.8: typos; tagged; new algorithms
+	* src/setkey/setkey.c: standard argument names for main(); hexdump
+	  support; info in file support
+	* src/setkey/token.l: new algorithms; memory shortage checks
+	  Parts not taken from KAME:
+	* kernelfs stuff;
+	* sysctl stuff
+
+2004-01-08  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/config.{sub,guess}: Update from automake 1.7.
+
+2004-01-08  Michal Ludvig  <mludvig@suse.cz>
+
+	Patch from Kostadin Karaivanov <larry@minfin.bg>:
+	* src/racoon/configure.in: Check for openssl/aes.h.
+	* src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
+
+2004-01-08  Michal Ludvig  <mludvig@suse.cz>
+
+	* src/racoon/configure: Remove, should be regenerated by bootstrap.
+
+2004-01-02  Michal Ludvig  <michal@logix.cz>
+
+	* src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
+	  (by Brian Buesker <bbuesker@qualcomm.com>
+	   and Christophe Saout <christophe@saout.de>)
+	* src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
+	* src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
+	  (by Michal Ludvig).
+	* src/setkey/token.l, src/setkey/parse.y: Add support for lifetime 
+	  specified in bytes (by Michal Ludvig).
+	* src/setkey/setkey.8: Document -bh/-bs options for the above feature.
+	* src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE 
+	  message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
+	* src/racoon/cfparse.y: Flush SA on SIGHUP
+	  (by Brian Buesker <bbuesker@qualcomm.com>)
+	* src/racoon/pfkey.c: IPcomp fixes
+	  (by Brian Buesker <bbuesker@qualcomm.com>)
+	* src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
+	* src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
+	  an entry with NULL ifa_addr (Michal Ludvig).
+	* configure.ac: Change path to kernel headers 
+	  from /usr/src/devel-2.5/devel to /usr/src/linux
+	* bootstrap: Use default tools, reconfigure src/racoon
+	* src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
+	  changed comments from 'dnl' to '#'.
+
+2003-06-20  Derek Atkins  <derek@ihtfp.com>
+
+	* src/racoon/aclocal.m4:
+	* src/racoon/configure:
+	  Don't execute "for i in $3" if "$3" doesn't exist.
+	  Fixes bug #721296.
+	
+2003-03-31  Derek Atkins  <derek@ihtfp.com>
+
+	* src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
+	  (which is value '2')
+
+2003-03-27  Derek Atkins  <derek@ihtfp.com>
+
+	* src/libipsec/key_debug.c: use ntohs() before printing port
+	* src/libipsec/pfkey.c: convert port# to network byte order
+	* src/libipsec/pfkey_dump.c: use ntohs() before printing ports
+	* src/setkey/parse.y: convert port#'s to network byte order
+	
+2003-03-24  Derek Atkins  <derek@ihtfp.com>
+
+	* src/libipsec/pfkey.c: Don't switch off NAT-T extensions
+	  if they don't exist in the kernel.
+
+	* src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
+	  as per Tom Lendacky <toml@us.ibm.com>.  Also move the
+	  setting of IPV6_IPSEC_POLICY to the top of the file.
+	
+2003-03-13  Derek Atkins  <derek@ihtfp.com>
+
+	Add initial support for NAT-T PFKey Extensions:
+	* src/libipsec/key_debug.c: add support to print information
+	  about NAT-T extension packets.
+	* src/libipsec/libpfkey.h: add two new APIs to support NAT-T
+	  for add and update as part of the SADB.
+	* src/libipsec/pfkey.c:
+	  - Implement extended APIs to support NAT-T for add and update
+	    of the SADB.
+	  - Add APIs to fill a buffer with NAT-T packet types
+	* src/libipsec/pfkey_dump.c: Extend the SADB output to include
+	  PFKey packets.  Put port numbers with the source and dest
+	  addresses, add an 'esp-udp' SA-type, and add a printout for
+	  the NAT-OA.
+	* src/setkey/parse.y:
+	  - Extend setkey to create an ESP-UDP SA.
+	  - default UDP port is 4500
+	  - extend 'add' to allow <ip-addr>[<portnum>] for source and dest
+	    (the portnum specification requires the [] characters)
+	  - add an ESPUDP "protocol" from the lexer.  This will use
+	    ESP and allow an optional Original Address setting.
+	  - add a function to get a udp port from a struct sockaddr *
+	  - pass the NAT-T extentions into PFKey
+	* src/setkey/token.l: add "esp-udp" token
+	
+	* rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
+	  This switches it to use %{_lib} (for /lib64 systems such as
+	  x86-64 and s390x, and has it own the /etc/racoon directory in
+	  the package as well.
+
+---------------------------------------------
+
+	0.2.2 released
+
+2003-03-13  Derek Atkins  <derek@ihtfp.com>
+
+	* configure.am, NEWS:
+	  Update for 0.2.2 release
+
+	* Makefile.am: distribute depcomp
+	
+2003-03-10  Derek Atkins  <derek@ihtfp.com>
+
+	* src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
+	  sure we link against the lexer library when necessary.
+	
+2003-03-07  Derek Atkins  <derek@ihtfp.com>
+
+	* configure.am:
+	* Makefile.am:
+	* rpm/Makefile.am:
+	* rpm/ipsec-tools.spec.in:
+	  Added RPM SPEC to CVS
+	
+---------------------------------------------
+
+	0.2.1 released
+
+2003-03-07  Derek Atkins  <derek@ihtfp.com>
+
+	* src/racoon/configure.in:  change "CFLAGS" to "CPPFLAGS" for
+	  ssl include directory, to make sure the other tests work properly.
+
+2003-03-06  Derek Atkins  <derek@ihtfp.com>
+
+	* src/racoon/kmpstat.c:  fix gcc-3.2.2 compiler warning
+
+	* src/racoon/configure.in:  look for krb5-config and don't
+	  use it if it's not found.  Fixes a configure-time warning.
+	
+--------------------------------------------
+
+	0.2 Released
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/Makefile.am	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,3 @@
+SUBDIRS = src @RPM@
+
+EXTRA_DIST = bootstrap README NEWS depcomp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/NEWS	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,99 @@
+Version history:
+----------------
+0.6???	- ??
+	o PAM support for Xauth
+	o Privilege separation
+	o ESP fragmentation in tunnel mode can be tunned (NetBSD only)
+	o racoon admin interface is exported (header and library) to 
+	  help building control programs for racoon (think GUI)
+
+0.5???	- ?? 
+	o Rewritten buildsystem. Now completely autoconfed, automaked,
+	  libtoolized.
+	o IPsec-tools now compiles on NetBSD and FreeBSD again.
+	o Support for server-side hybrid authentication, with full 
+	  RADIUS supoort. This is interoperable with the Cisco VPN client.
+	o Support for client-side hybrid authentication (Tested only with
+	  a racoon server)
+	o ISAKMP mode config support
+	o IKE fragmentation support
+	o Fixed FWD policy support.
+	o Fixed IPv6 compilation.
+	o Readline is optional, fixed setkey when compiled without readline.
+	o Configurable Root-CA certificate.
+	o Dead Peer Detection (DPD) support.
+
+0.4rc1	- 09 August 2004
+	o Merged support for PlainRSA keys from the 'plainrsa' branch.
+	o Inheritance of 'remote{}' sections.
+	o Support for SPD policy priorities in setkey.
+	o Ciphers are now used through the 'EVP' interface which allows
+	  using hardware crypto accelerators.
+	o Setkey has new option -n (no action).
+	o All source files now have 3-clause BSD license.
+
+0.3	- 14 April 2004
+        o Fixed setkey to handle multiline commands again.
+	o Added command 'exit' to setkey.
+	o Fixed racoon to only Warn if no CRL was found.
+	o Improved testsuite.
+
+0.3rc5	- 05 April 2004
+	o Security bugfix WRT handling X.509 signatures.
+	o Stability fix WRT unknown PF_KEY messages.
+	o Fixed NAT-T with more proposals (e.g. more crypto algos).
+	o Setkey parses lines one by one => doesn't exit on errors.
+	o Setkey supports readline => more user friendly.
+
+0.3rc4	- 25 March 2004
+	o Fixed adding "null" encryption via 'setkey'.
+	o Fixed segfault when using AES in Phase1 with OpenSSL>=0.9.7
+	o Fixed NAT-T in aggresive mode.
+	o Fixed testsuite and added testsuite run into make check.
+
+0.3rc3	- 19 March 2004
+	o Fixed compilation error with --enble-yydebug
+	o Better diagnostic when proposals don't match.
+	o Changed/added options to setkey.
+
+0.3rc2	- 11 March 2004
+	o Added documentation for NAT-T
+	o Better NAT-T diagnostic.
+	o Test and workaround for missing va_copy()
+
+0.3rc1	- 04 March 2004
+	o Support for NAT Traversal (NAT-T)
+
+0.2.4	- 29 January 2004
+	o Sync with KAME as of 2004-01-07
+	o Fixed unauthorized deletion of SA in racoon (again).
+
+0.2.3	- 15 January 2004
+	o Support for SA lifetime specified in bytes
+	  (see setkey -bs/-bh options)
+	o Enhance support for OpenSSL 0.9.7
+	o Let racoon be more verbose
+	o Fixed some simple bugs (see ChangeLog for details)
+	o Fixed unauthorized deletion of SA in racoon
+	o Fixed problems on AMD64
+	o Ignore multicast addresses for IKE
+
+0.2.2	- 13 March 2003
+	o Fix racoon to build on some systems that require linking against -lfl
+	o add an RPM spec to the distribution
+
+0.2.1	- 07 March 2003
+	o Fix some more gcc-3.2.2 compiler warnings
+	o Fix racoon to actually configure with ssl in a non-standard location
+	o Fix racoon to not complain if krb5-config is not installed
+
+0.2	- 06 March 2003
+	o Glibc-2.3 support
+	o OpenSSL-0.9.7 support
+	o Fixed duplicate-macro problems
+	o Fix racoon lex/yacc support
+	o Install psk.txt mode 600, racoon.conf mode 644
+	o Fix racoon to look in the correct directory for config files
+
+0.1	- 03 March 2003
+	o Initial release of IPsec-Tools
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/README	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,31 @@
+IPsec-tools
+===========
+
+This package provides a way to use the native IPsec functionality 
+in the Linux 2.6+ kernel. It works as well on NetBSD and FreeBSD.
+
+	- libipsec, a PF_KEYv2 library
+	- setkey, a tool to directly manipulate policies and SAs
+	- racoon, an IKEv1 keying daemon
+
+IPsec-tools were ported to Linux from the KAME project 
+(http://www.kame.net) by Derek Atkins  <derek@ihtfp.com>.
+
+Currently the package is actively maintained and developed 
+by Michal Ludvig <mludvig@suse.cz>, Aidas Kasparas <a.kasparas@gmc.lt>
+and Emmanuel Dreyfus <manu@netbsd.org>.
+
+Sources can be found at the IPsec-Tools home page at:
+	http://ipsec-tools.sourceforge.net/
+
+Please report any problems to the mailing list:
+	ipsec-tools-devel@lists.sourceforge.net
+	(it is called 'devel' but feel free to send general
+	questions there as well :-)
+
+You can also browse the list archive:
+	http://sourceforge.net/mailarchive/forum.php?forum_id=32000
+
+Credits:
+	IHTFP Consulting, see http://www.ihtfp.com/
+	SUSE Linux AG, see http://www.suse.com/
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/acracoon.m4	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,193 @@
+dnl RACOON_PATH_LIBS(FUNCTION, LIB, SEARCH-PATHS [, ACTION-IF-FOUND
+dnl            [, ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]])
+dnl Search for a library defining FUNC, if it's not already available.
+
+AC_DEFUN([RACOON_PATH_LIBS],
+[AC_PREREQ([2.13])
+AC_CACHE_CHECK([for $2 containing $1], [ac_cv_search_$1],
+[ac_func_search_save_LIBS="$LIBS"
+ac_cv_search_$1="no"
+AC_TRY_LINK_FUNC([$1], [ac_cv_search_$1="none required"],
+	[LIBS="-l$2 $LIBS"
+	AC_TRY_LINK_FUNC([$1], [ac_cv_search_$1="-l$2"], [])])
+LIBS="$ac_func_search_save_LIBS"
+ifelse("x$3", "x", , [ test "$ac_cv_search_$1" = "no" && for i in $3; do
+  LIBS="-L$i -l$2 $ac_func_search_save_LIBS"
+  AC_TRY_LINK_FUNC([$1],
+  [ac_cv_search_$1="-L$i -l$2"
+  break])
+  done 
+LIBS="$ac_func_search_save_LIBS" ]) ])
+if test "$ac_cv_search_$1" != "no"; then
+  test "$ac_cv_search_$1" = "none required" || LIBS="$ac_cv_search_$1 $LIBS"
+  $4
+else :
+  $5
+fi])
+
+dnl  Check if either va_copy() or __va_copy() is available. On linux systems 
+dnl  at least one of these should be present.
+AC_DEFUN([RACOON_CHECK_VA_COPY], [
+	saved_CFLAGS=$CFLAGS
+	CFLAGS="-Wall -O2"
+	AC_CACHE_CHECK([for an implementation of va_copy()],
+		ac_cv_va_copy,[
+		AC_TRY_RUN([#include <stdarg.h>
+		void func (int i, ...) {
+			va_list args1, args2;
+			va_start (args1, i);
+			va_copy (args2, args1);
+			if (va_arg (args1, int) != 1 || va_arg (args2, int) != 1)
+				exit (1);
+	 		va_end (args1);
+			va_end (args2);
+		}
+		int main() {
+			func (0, 1);
+			return 0;
+		}],
+		[ac_cv_va_copy=yes],
+		[ac_cv_va_copy=no],
+		[])
+	])
+	if test x$ac_cv_va_copy != xyes; then
+		AC_CACHE_CHECK([for an implementation of __va_copy()],
+			ac_cv___va_copy,[
+			AC_TRY_RUN([#include <stdarg.h>
+			void func (int i, ...) {
+				va_list args1, args2;
+				va_start (args1, i);
+				__va_copy (args2, args1);
+				if (va_arg (args1, int) != 1 || va_arg (args2, int) != 1)
+					exit (1);
+				va_end (args1);
+				va_end (args2);
+			}
+			int main() {
+				func (0, 1);
+				return 0;
+			}],
+			[ac_cv___va_copy=yes],
+			[ac_cv___va_copy=no],
+			[])
+		])
+	fi
+
+	if test "x$ac_cv_va_copy" = "xyes"; then
+		va_copy_func=va_copy
+	elif test "x$ac_cv___va_copy" = "xyes"; then
+		va_copy_func=__va_copy
+	fi
+
+	if test -n "$va_copy_func"; then
+		AC_DEFINE_UNQUOTED(VA_COPY,$va_copy_func,
+			[A 'va_copy' style function])
+	else
+		AC_MSG_WARN([Hmm, neither va_copy() nor __va_copy() found.])
+		AC_MSG_WARN([Using a generic fallback.])
+	fi
+	CFLAGS=$saved_CFLAGS
+	unset saved_CFLAGS
+])
+
+AC_DEFUN([RACOON_CHECK_BUGGY_GETADDRINFO], [
+	AC_MSG_CHECKING(getaddrinfo bug)
+	saved_CFLAGS=$CFLAGS
+	CFLAGS="-Wall -O2"
+	AC_TRY_RUN([
+	#include <sys/types.h>
+	#include <sys/socket.h>
+	#include <netdb.h>
+	#include <stdlib.h>
+	#include <string.h>
+	#include <netinet/in.h>
+	
+	int main()
+	{
+	  int passive, gaierr, inet4 = 0, inet6 = 0;
+	  struct addrinfo hints, *ai, *aitop;
+	  char straddr[INET6_ADDRSTRLEN], strport[16];
+	
+	  for (passive = 0; passive <= 1; passive++) {
+	    memset(&hints, 0, sizeof(hints));
+	    hints.ai_family = AF_UNSPEC;
+	    hints.ai_flags = passive ? AI_PASSIVE : 0;
+	    hints.ai_protocol = IPPROTO_TCP;
+	    hints.ai_socktype = SOCK_STREAM;
+	    if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) {
+	      (void)gai_strerror(gaierr);
+	      goto bad;
+	    }
+	    for (ai = aitop; ai; ai = ai->ai_next) {
+	      if (ai->ai_addr == NULL ||
+	          ai->ai_addrlen == 0 ||
+	          getnameinfo(ai->ai_addr, ai->ai_addrlen,
+	                      straddr, sizeof(straddr), strport, sizeof(strport),
+	                      NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+	        goto bad;
+	      }
+	      switch (ai->ai_family) {
+	      case AF_INET:
+		if (strcmp(strport, "54321") != 0) {
+		  goto bad;
+		}
+	        if (passive) {
+	          if (strcmp(straddr, "0.0.0.0") != 0) {
+	            goto bad;
+	          }
+	        } else {
+	          if (strcmp(straddr, "127.0.0.1") != 0) {
+	            goto bad;
+	          }
+	        }
+	        inet4++;
+	        break;
+	      case AF_INET6:
+		if (strcmp(strport, "54321") != 0) {
+		  goto bad;
+		}
+	        if (passive) {
+	          if (strcmp(straddr, "::") != 0) {
+	            goto bad;
+	          }
+	        } else {
+	          if (strcmp(straddr, "::1") != 0) {
+	            goto bad;
+	          }
+	        }
+	        inet6++;
+	        break;
+	      case AF_UNSPEC:
+	        goto bad;
+	        break;
+	      default:
+	        /* another family support? */
+	        break;
+	      }
+	    }
+	  }
+	
+	  if (!(inet4 == 0 || inet4 == 2))
+	    goto bad;
+	  if (!(inet6 == 0 || inet6 == 2))
+	    goto bad;
+	
+	  if (aitop)
+	    freeaddrinfo(aitop);
+	  exit(0);
+	
+	 bad:
+	  if (aitop)
+	    freeaddrinfo(aitop);
+	  exit(1);
+	}
+	],
+	AC_MSG_RESULT(good)
+	buggygetaddrinfo=no,
+	AC_MSG_RESULT(buggy)
+	buggygetaddrinfo=yes,
+	AC_MSG_RESULT(buggy)
+	buggygetaddrinfo=yes)
+	CFLAGS=$saved_CFLAGS
+	unset saved_CFLAGS
+])
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/bootstrap	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -x
+
+# Remove autoconf 2.5x's cache directory
+
+rm -rf autom4te*.cache
+
+aclocal -I .                            || exit 1
+autoheader                              || exit 1
+libtoolize --force --copy               || exit 1
+automake --foreign --add-missing --copy || exit 1
+autoconf                                || exit 1
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/configure.ac	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,562 @@
+dnl -*- mode: m4 -*-
+dnl $Id: configure.ac,v 1.1.1.1 2005/02/12 11:11:16 manu Exp $
+
+AC_PREREQ(2.52)
+AC_INIT(ipsec-tools, 0.5pre)
+AC_CONFIG_SRCDIR([configure.ac])
+AM_CONFIG_HEADER(config.h)
+
+AM_INIT_AUTOMAKE(dist-bzip2)
+
+AC_ENABLE_SHARED(no)
+
+AC_PROG_CC
+AM_PROG_CC_STDC
+AC_HEADER_STDC
+AC_PROG_LIBTOOL
+AC_PROG_YACC
+AM_PROG_LEX
+AC_SUBST(LEXLIB)
+AC_PROG_EGREP
+
+CFLAGS_ADD="$CFLAGS_ADD -Wall -Werror -Wno-unused"
+
+case $host in
+*netbsd*)
+	LDFLAGS="-Wl,-R/usr/pkg/lib $LDFLAGS"
+	;;
+*linux*)
+	LIBS="$LIBS -lresolv"
+	INSTALL_OPTS="-o bin -g bin"
+	INCLUDE_GLIBC="include-glibc"
+	RPM="rpm"
+	AC_SUBST(INSTALL_OPTS)
+	AC_SUBST(INCLUDE_GLIBC)
+	AC_SUBST(RPM)
+	;;
+esac
+
+# Look up some IPsec-related headers
+AC_CHECK_HEADER(net/pfkeyv2.h, [have_net_pfkey=yes], [have_net_pfkey=no])
+AC_CHECK_HEADER(netinet/ipsec.h, [have_netinet_ipsec=yes], [have_netinet_ipsec=no])
+AC_CHECK_HEADER(netinet6/ipsec.h, [have_netinet6_ipsec=yes], [have_netinet6_ipsec=no])
+
+# NetBSD has <netinet6/ipsec.h> but not <netinet/ipsec.h>
+if test "$have_netinet_ipsec$have_netinet6_ipsec" = noyes; then
+    have_netinet_ipsec=yes
+    AC_DEFINE(HAVE_NETINET6_IPSEC, [], [Use <netinet6/ipsec.h>])
+fi
+
+case "$host_os" in
+ *linux*)
+    AC_ARG_WITH(kernel-headers,
+	AC_HELP_STRING([--with-kernel-headers=/lib/modules/<uname>/build/include],
+		       [where your Linux Kernel headers are installed]),
+	    [ KERNEL_INCLUDE="$with_kernel_headers" 
+	      CONFIGURE_AMFLAGS="--with-kernel-headers=$with_kernel_headers"
+	      AC_SUBST(CONFIGURE_AMFLAGS) ],
+	    [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
+
+    AC_CHECK_FILE($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
+	[ AC_CHECK_FILE(/usr/src/linux/include/linux/pfkeyv2.h,
+	  KERNEL_INCLUDE=/usr/src/linux/include ,
+	  [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
+    AC_SUBST(KERNEL_INCLUDE)
+    # We need the configure script to run with correct kernel headers.
+    # However we don't want to point to kernel source tree in compile time,
+    # i.e. this will be removed from CPPFLAGS at the end of configure.
+    CPPFLAGS="-I$KERNEL_INCLUDE $CPPFLAGS"
+
+    AC_CHECK_MEMBER(struct sadb_x_policy.sadb_x_policy_priority, 
+    	[AC_DEFINE(HAVE_PFKEY_POLICY_PRIORITY, [],
+               	[Are PF_KEY policy priorities supported?])], [],
+    	[#include "$KERNEL_INCLUDE/linux/pfkeyv2.h"])
+
+    GLIBC_BUGS='-include ${top_srcdir}/src/include-glibc/glibc-bugs.h -I${top_srcdir}/src/include-glibc -I${top_builddir}/src/include-glibc'
+    AC_SUBST(GLIBC_BUGS)
+    GLIBC_BUGS_LOCAL="-include ${srcdir-.}/src/include-glibc/glibc-bugs.h -I${srcdir-.}/src/include-glibc -I./src/include-glibc"
+    CPPFLAGS="$GLIBC_BUGS_LOCAL $CPPFLAGS"
+    ;;
+ *)
+    if test "$have_net_pfkey$have_netinet_ipsec" != yesyes; then
+      if test "$have_net_pfkey" = yes; then
+	AC_MSG_ERROR([Found net/pfkeyv2.h but not netinet/ipsec.h. Aborting.])
+      else
+	AC_MSG_ERROR([Found netinet/ipsec.h but not net/pfkeyv2.h. Aborting.])
+      fi
+    fi
+    ;;
+esac
+
+### Some basic toolchain checks
+
+# Checks for header files.
+AC_HEADER_STDC
+AC_HEADER_SYS_WAIT
+AC_CHECK_HEADERS(limits.h sys/time.h unistd.h stdarg.h varargs.h)
+
+# Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_PID_T
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+
+# Checks for library functions.
+AC_FUNC_MEMCMP
+AC_TYPE_SIGNAL
+AC_FUNC_VPRINTF
+AC_CHECK_FUNCS(gettimeofday select socket strerror strtol strtoul strlcpy)
+AC_REPLACE_FUNCS(strdup)
+RACOON_CHECK_VA_COPY
+
+# Check if printf accepts "%z" type modifier for size_t argument
+AC_MSG_CHECKING(if printf accepts %z)
+saved_CFLAGS=$CFLAGS
+CFLAGS="$CFLAGS -Wall -Werror"
+AC_TRY_COMPILE([
+#include <stdio.h>
+], [
+printf("%zu\n", (size_t)-1);
+],
+	[AC_MSG_RESULT(yes)],
+	[AC_MSG_RESULT(no); CFLAGS_ADD="$CFLAGS_ADD -Wno-format"])
+CFLAGS=$saved_CFLAGS
+
+# Can we use __func__ macro?
+AC_MSG_CHECKING(if __func__ is available)
+AC_TRY_COMPILE(
+[#include <stdio.h>
+], [char *x = __func__;],
+	[AC_DEFINE([HAVE_FUNC_MACRO], [], [Have __func__ macro])
+	AC_MSG_RESULT(yes)],
+	[AC_MSG_RESULT(no)])
+
+# Check if readline support is requested
+AC_MSG_CHECKING(if readline support is requested)
+AC_ARG_WITH(readline,
+	[  --with-readline         support readline input (yes by default)],
+	[with_readline="$withval"], [with_readline="yes"])
+AC_MSG_RESULT($with_readline)
+
+# Is readline available?
+if test $with_readline != "no"; then
+	AC_CHECK_HEADER([readline/readline.h], 
+		[AC_CHECK_LIB(readline, readline, [
+				AC_DEFINE(HAVE_READLINE, [],
+					[Is readline available?])
+				LIBS="$LIBS -lreadline"
+		], [])], [])
+fi
+
+# Check if a different OpenSSL directory was specified
+AC_MSG_CHECKING(if --with-openssl option is specified)
+AC_ARG_WITH(openssl, [  --with-openssl=DIR      specify OpenSSL directory],
+	[crypto_dir=$withval])
+AC_MSG_RESULT(${crypto_dir-default})
+
+if test "x$crypto_dir" != "x"; then
+	LIBS="$LIBS -L${crypto_dir}/lib"
+	CPPFLAGS_ADD="-I${crypto_dir}/include $CPPFLAGS_ADD"
+fi
+AC_MSG_CHECKING(openssl version)
+AC_EGREP_CPP(yes, [#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
+yes
+#endif], [AC_MSG_RESULT(ok)], [AC_MSG_RESULT(too old)
+	AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
+	])
+AC_CHECK_HEADERS(openssl/engine.h)
+
+# checking rijndael
+AC_CHECK_HEADERS([openssl/aes.h], [], 
+	[CRYPTOBJS="$CRYPTOBJS rijndael-api-fst.o rijndael-alg-fst.o"])
+
+# checking sha2
+AC_MSG_CHECKING(sha2 support)
+AC_DEFINE([WITH_SHA2], [], [SHA2 support])
+AC_CHECK_HEADER(openssl/sha2.h, [], [
+	CPPFLAGS_ADD="$CPPFLAGS_ADD -I./\${top_srcdir}/src/racoon/missing"
+	AC_LIBOBJ([sha2])
+	CRYPTOBJS="$CRYPTOBJS sha2.o"])
+AC_SUBST(CRYPTOBJS)
+
+# Option --enable-adminport 
+AC_MSG_CHECKING(if --enable-adminport option is specified)
+AC_ARG_ENABLE(adminport,
+	[  --enable-adminport      enable admin port],
+	[], [enable_adminport=no])
+if test $enable_adminport = "yes"; then
+	AC_DEFINE([ENABLE_ADMINPORT], [], [Enable admin port])
+fi
+AC_MSG_RESULT($enable_adminport)
+
+# Check for Kerberos5 support
+AC_MSG_CHECKING(if --enable-gssapi option is specified)
+AC_ARG_ENABLE(gssapi,
+	[  --enable-gssapi         enable GSS-API authentication],
+	[], [enable_gssapi=no])
+AC_MSG_RESULT($enable_gssapi)
+AC_PATH_PROG(KRB5_CONFIG,krb5-config,no)
+if test "x$enable_gssapi" = "xyes"; then
+	if test "$KRB5_CONFIG" != "no"; then
+		krb5_incdir="`$KRB5_CONFIG --cflags gssapi`"
+		krb5_libs="`$KRB5_CONFIG --libs gssapi`"
+	else
+		# No krb5-config; let's make some assumptions based on
+		# the OS.
+		case $host_os in
+		netbsd*)
+			krb5_incdir="-I/usr/include/krb5"
+			krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1"
+			;;
+		*)
+			AC_MSG_ERROR([krb5-config not found, but needed for GSSAPI support. Aborting.])
+			;;
+		esac
+	fi
+	LIBS="$LIBS $krb5_libs"
+	CPPFLAGS_ADD="$krb5_incdir $CPPFLAGS_ADD"
+	AC_DEFINE([HAVE_GSSAPI], [], [Enable GSS API])
+fi
+
+AC_MSG_CHECKING([if --enable-hybrid option is specified])
+AC_ARG_ENABLE(hybrid, 
+    [  --enable-hybrid	  enable hybrid, both mode-cfg and xauth support],
+    [
+	LIBS="$LIBS -lcrypt"; 
+	enable_hybrid=yes;
+	HYBRID_OBJS="isakmp_xauth.o isakmp_cfg.o isakmp_unity.o throttle.o"
+	AC_SUBST(HYBRID_OBJS)
+	AC_DEFINE([ENABLE_HYBRID], [], [Hybrid authentication support])
+    ],
+    [enable_hybrid=no])
+AC_MSG_RESULT($enable_hybrid)
+
+AC_MSG_CHECKING([if --enable-frag option is specified])
+AC_ARG_ENABLE(frag, 
+    [  --enable-frag           enable IKE fragmentation payload support],
+    [
+	LIBS="$LIBS -lcrypt"; 
+	enable_frag=yes;
+	FRAG_OBJS="isakmp_frag.o"
+	AC_SUBST(FRAG_OBJS)
+	AC_DEFINE([ENABLE_FRAG], [], [IKE fragmentation support])
+    ],
+    [enable_frag=no])
+AC_MSG_RESULT($enable_frag)
+
+AC_MSG_CHECKING(if --with-libradius option is specified)
+AC_ARG_WITH(libradius, 
+    [  --with-libradius=DIR    specify libradius path (like/usr/pkg)],
+    [libradius_dir=$withval], 
+    [libradius_dir=no])
+AC_MSG_RESULT($libradius_dir)
+if test "$libradius_dir" != "no"; then
+	if test "$libradius_dir" = "yes" ; then
+		  libradius_dir="";
+	fi;
+	if test "x$libradius_dir" = "x"; then
+		RACOON_PATH_LIBS(rad_create_request, lradius)
+	else
+		if test -d "$libradius_dir/lib" -a \
+		    -d "$libradius_dir/include" ; then
+			RACOON_PATH_LIBS(rad_create_request, lradius, "$libradius_dir/lib")
+			CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libradius_dir/include"
+		else
+			AC_MSG_ERROR([RADIUS libs or includes not found. Aborting.])
+	  	fi
+	fi
+	AC_DEFINE([HAVE_LIBRADIUS], [], [Hybrid authentication uses RADIUS])
+	LIBS="$LIBS -L$libradius_dir/lib -R$libradius_dir/lib -lradius"
+	AC_CHECK_FUNCS(rad_create_request)
+fi
+
+AC_MSG_CHECKING(if --with-libpam option is specified)
+AC_ARG_WITH(libpam, 
+    [  --with-libpam=DIR    specify libpam path (like/usr/pkg)],
+    [libpam_dir=$withval], 
+    [libpam_dir=no])
+AC_MSG_RESULT($libpam_dir)
+if test "$libpam_dir" != "no"; then
+	if test "$libpam_dir" = "yes" ; then
+		  libpam_dir="";
+	fi;
+	if test "x$libpam_dir" = "x"; then
+		RACOON_PATH_LIBS(rad_create_request, lpam)
+	else
+		if test -d "$libpam_dir/lib" -a \
+		    -d "$libpam_dir/include" ; then
+			RACOON_PATH_LIBS(rad_create_request, lpam, "$libpam_dir/lib")
+			CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libpam_dir/include"
+		else
+			AC_MSG_ERROR([PAM libs or includes not found. Aborting.])
+	  	fi
+	fi
+	AC_DEFINE([HAVE_LIBPAM], [], [Hybrid authentication uses PAM])
+	LIBS="$LIBS -L$libpam_dir/lib -R$libpam_dir/lib -lpam"
+	AC_CHECK_FUNCS(rad_create_request)
+fi
+
+AC_MSG_CHECKING(if --enable-stats option is specified)
+AC_ARG_ENABLE(stats,
+        [  --enable-stats          enable statistics logging function],
+        [], [enable_stats=no])
+if test "x$enable_stats" = "xyes"; then
+	AC_DEFINE([ENABLE_STATS], [], [Enable statictics])
+fi
+AC_MSG_RESULT($enable_stats)
+
+AC_MSG_CHECKING(if --enable-dpd option is specified)
+AC_ARG_ENABLE(dpd,
+        [  --enable-dpd            enable dead peer detection],
+        [], [enable_dpd=no])
+if test "x$enable_dpd" = "xyes"; then
+	AC_DEFINE([ENABLE_DPD], [], [Enable dead peer detection])
+fi
+AC_MSG_RESULT($enable_dpd)
+
+
+AC_MSG_CHECKING(if --enable-samode-unspec option is specified)
+AC_ARG_ENABLE(samode-unspec,
+        [  --enable-samode-unspec  enable to use unspecified a mode of SA],
+        [], [enable_samode_unspec=no])
+if test "x$enable_samode_unspec" = "xyes"; then
+	AC_DEFINE([ENABLE_SAMODE_UNSPECIFIED], [], [Enable samode-unspec])
+fi
+AC_MSG_RESULT($enable_samode_unspec)
+
+# Checks if IPv6 is requested
+AC_MSG_CHECKING([whether to enable ipv6])
+AC_ARG_ENABLE(ipv6,
+[  --disable-ipv6          disable ipv6 support],
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       ipv6=no
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ipv6=yes
+       ;;
+  esac ],
+
+  AC_TRY_RUN([ /* AF_INET6 avalable check */
+#include <sys/types.h>
+#include <sys/socket.h>
+main()
+{
+  exit(0);
+ if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
+   exit(1);
+ else
+   exit(0);
+}
+],
+  AC_MSG_RESULT(yes)
+  AC_DEFINE([INET6], [], [Support IPv6])
+  ipv6=yes,
+  AC_MSG_RESULT(no)
+  ipv6=no,
+  AC_MSG_RESULT(no)
+  ipv6=no
+))
+
+if test "$ipv6" = "yes"; then
+	AC_MSG_CHECKING(for advanced API support)
+	AC_TRY_COMPILE([#ifndef INET6
+#define INET6
+#endif
+#include <sys/types.h>
+#include <netinet/in.h>],
+		[struct in6_pktinfo a;],
+		[AC_MSG_RESULT(yes)
+		 AC_DEFINE([INET6_ADVAPI], [], [Use advanced IPv6 API])],
+		[AC_MSG_RESULT(no)])
+fi
+
+RACOON_CHECK_BUGGY_GETADDRINFO
+if test "$buggygetaddrinfo" = "yes"; then
+	AC_MSG_ERROR([Broken getaddrinfo() is no longer supported. Aborting.])
+fi
+
+# Check if kernel support is available for NAT-T, defaults to no. 
+kernel_natt="no"
+
+AC_MSG_CHECKING(kernel NAT-Traversal support)
+case $host_os in
+linux*)
+# Linux kernel NAT-T check
+AC_EGREP_CPP(yes, 
+[#include <linux/pfkeyv2.h>
+#ifdef SADB_X_EXT_NAT_T_TYPE
+yes
+#endif
+], [kernel_natt="yes"])
+	;;
+freebsd*|netbsd*)
+# NetBSD case
+# Same check for FreeBSD
+AC_CHECK_MEMBER(struct sadb_x_nat_t_type.sadb_x_nat_t_type_len,
+       [kernel_natt="yes"],, [
+#define _KERNEL
+#include <sys/types.h>
+#include <net/pfkeyv2.h>
+])
+	;;
+esac
+AC_MSG_RESULT($kernel_natt)
+
+AC_MSG_CHECKING(whether to support NAT-T)
+AC_ARG_ENABLE(natt,
+	[  --enable-natt           enable NAT-Traversal (yes/no/kernel)],
+        [if test "$enable_natt" = "kernel"; then enable_natt=$kernel_natt; fi],
+	[enable_natt=$kernel_natt])
+AC_MSG_RESULT($enable_natt)
+
+if test "$enable_natt" = "yes"; then
+	if test "$kernel_natt" = "no" ; then 
+		AC_MSG_ERROR([NAT-T requested, but no kernel support! Aborting.])
+	else
+		AC_DEFINE([ENABLE_NATT], [], [Enable NAT-Traversal])
+		NATT_OBJS="nattraversal.o"
+		AC_SUBST(NATT_OBJS)
+	fi
+fi
+
+AC_ARG_ENABLE(natt_00,
+	[  --enable-natt_00           enable NAT-Traversal Draft 00 (yes/no)],
+	[],
+	[enable_natt_00=no])
+
+if test "$enable_natt_00" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_00], [], [Enable NAT-Traversal draft 00])
+fi
+
+
+AC_ARG_ENABLE(natt_01,
+	[  --enable-natt_01           enable NAT-Traversal Draft 01 (yes/no)],
+	[],
+	[enable_natt_01=no])
+
+if test "$enable_natt_01" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_01], [], [Enable NAT-Traversal draft 01])
+fi
+
+
+AC_ARG_ENABLE(natt_02,
+	[  --enable-natt_02           enable NAT-Traversal Draft 02 (yes/no)],
+	[],
+	[enable_natt_02=no])
+
+if test "$enable_natt_02" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_02], [], [Enable NAT-Traversal draft 02])
+fi
+
+
+AC_ARG_ENABLE(natt_03,
+	[  --enable-natt_03           enable NAT-Traversal Draft 03 (yes/no)],
+	[],
+	[enable_natt_03=no])
+
+if test "$enable_natt_03" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_03], [], [Enable NAT-Traversal draft 03])
+fi
+
+
+AC_ARG_ENABLE(natt_04,
+	[  --enable-natt_04           enable NAT-Traversal Draft 04 (yes/no)],
+	[],
+	[enable_natt_05=no])
+
+if test "$enable_natt_04" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_04], [], [Enable NAT-Traversal draft 04])
+fi
+
+
+AC_ARG_ENABLE(natt_05,
+	[  --enable-natt_05           enable NAT-Traversal Draft 05 (yes/no)],
+	[],
+	[enable_natt_05=no])
+
+if test "$enable_natt_05" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_05], [], [Enable NAT-Traversal draft 05])
+fi
+
+
+AC_ARG_ENABLE(natt_06,
+	[  --enable-natt_06           enable NAT-Traversal Draft 06 (yes/no)],
+	[],
+	[enable_natt_06=no])
+
+if test "$enable_natt_06" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_06], [], [Enable NAT-Traversal draft 06])
+fi
+
+
+AC_ARG_ENABLE(natt_07,
+	[  --enable-natt_07           enable NAT-Traversal Draft 07 (yes/no)],
+	[],
+	[enable_natt_07=no])
+
+if test "$enable_natt_07" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_07], [], [Enable NAT-Traversal draft 07])
+fi
+
+
+AC_ARG_ENABLE(natt_08,
+	[  --enable-natt_08           enable NAT-Traversal Draft 08 (yes/no)],
+	[],
+	[enable_natt_08=no])
+
+if test "$enable_natt_08" = "yes"; then
+	AC_DEFINE([ENABLE_NATT_08], [], [Enable NAT-Traversal draft 08])
+fi
+
+
+AC_MSG_CHECKING(whether we support FWD policy)
+case $host in
+	*linux*)
+		AC_TRY_COMPILE([
+		#include <inttypes.h>
+		#include <linux/ipsec.h>
+			], [
+			int fwd = IPSEC_DIR_FWD;
+			],
+			[AC_MSG_RESULT(yes)
+			 AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
+			[AC_MSG_RESULT(no)])
+		;;
+	*)
+		AC_MSG_RESULT(no)
+		;;
+esac
+
+CFLAGS="$CFLAGS $CFLAGS_ADD"
+CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
+
+case $host in
+	*linux*)
+		# Remove KERNEL_INCLUDE from CPPFLAGS. It will
+		# be symlinked to src/include-glibc/linux in
+		# compile time.
+		CPPFLAGS=`echo $CPPFLAGS | sed "s,-I$KERNEL_INCLUDE,,"`
+		;;
+esac
+
+include_racoondir=${includedir}/racoon
+AC_SUBST(include_racoondir)
+
+AC_CONFIG_FILES([
+  Makefile
+  package_version.h
+  src/Makefile
+  src/include-glibc/Makefile
+  src/libipsec/Makefile
+  src/setkey/Makefile
+  src/racoon/Makefile
+  src/racoon/samples/psk.txt
+  src/racoon/samples/racoon.conf
+  rpm/Makefile
+  rpm/suse/Makefile
+  ])
+AC_OUTPUT
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/package_version.h.in	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,5 @@
+#define TOP_PACKAGE "@PACKAGE@"
+#define TOP_PACKAGE_NAME "@PACKAGE_NAME@"
+#define TOP_PACKAGE_VERSION "@PACKAGE_VERSION@"
+#define TOP_PACKAGE_STRING "@PACKAGE_STRING@"
+#define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/.cvsignore	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,3 @@
+Makefile
+Makefile.in
+ipsec-tools.spec
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/Makefile.am	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,18 @@
+SUBDIRS = suse
+
+EXTRA_DIST = \
+  ipsec-tools.spec.in
+
+all-local: ipsec-tools.spec
+
+## We borrow guile's convention and use @-...-@ as the substitution
+## brackets here, instead of the usual @...@.  This prevents autoconf
+## from substituting the values directly into the left-hand sides of
+## the sed substitutions.  *sigh*
+ipsec-tools.spec: ipsec-tools.spec.in Makefile
+	rm -f $@.tmp
+	sed < $< > $@.tmp \
+	    -e 's:@-VERSION-@:${VERSION}:'
+	mv $@.tmp $@
+
+CLEANFILES = ipsec-tools.spec
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/ipsec-tools.FC1	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# chkconfig: 2345 08 92
+# description:	Starts and stops racoon and loads IPSec SPD's
+#
+# config: /etc/sysconfig/ipsec.spd
+# config: /etc/racoon/racoon.conf
+
+# Contributed by Kimmo Koivisto <kimmo.koivisto@surfeu.fi>
+# Tested with Fedora C1
+
+# Source function library.
+. /etc/init.d/functions
+
+RACOON=/usr/sbin/racoon
+SETKEY=/sbin/setkey
+IPSEC_SPD=/etc/sysconfig/ipsec.spd
+VAR_SUBSYS_IPSEC=/var/lock/subsys/ipsec
+
+if [ ! -x /usr/sbin/$RACOON ]; then
+    echo -n $"/usr/sbin/$RACOON does not exist."; warning; echo
+    exit 0
+fi
+
+
+start() {
+
+	# Check that SPD-file exists and load it.
+	if [ -f "$IPSEC_SPD" ]; then 
+   		$SETKEY -f $IPSEC_SPD 
+	fi
+	$RACOON
+	touch $VAR_SUBSYS_IPSEC
+}
+
+
+stop() {
+	killall $RACOON 2> /dev/null
+	$SETKEY -FD 
+	$SETKEY -FP 
+        rm -f $VAR_SUBSYS_IPSEC
+}
+
+status() {
+    # Do not print status if lockfile is missing
+
+    if [ ! -f "$VAR_SUBSYS_IPSEC" ]; then
+	echo $"IPSec is stopped."
+	return 1
+    fi
+
+    if [ -f "$VAR_SUBSYS_IPSEC" ]; then
+	echo $"IPSec is started."
+	return 0
+    fi
+}
+
+restart() {
+    stop
+    start
+}
+
+
+
+case "$1" in
+    start)
+	start
+	;;
+    stop)
+	stop
+	;;
+    restart)
+	restart
+	;;
+    condrestart)
+	[ -e "$VAR_SUBSYS_IPSEC" ] && restart
+	;;
+    status)
+	status
+	;;
+    *)
+	echo $"Usage: $0 {start|stop|restart|condrestart|status}"
+	exit 1
+	;;
+esac
+
+exit 0
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/ipsec-tools.spec.in	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,60 @@
+Summary: User-space IPsec tools for the Linux IPsec implementation
+Name: ipsec-tools
+Version: @-VERSION-@
+Release: 1
+Epoch: 1
+License: BSD
+Group: System Environment/Base
+URL: http://ipsec-tools.sourceforge.net/
+Source: http://prdownloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
+Requires: kernel >= 2.5.54
+
+#BuildRequires: kernel-source >= 2.5.54
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+%description
+IPsec-Tools is a port of the KAME Project's IPsec tools to the Linux
+IPsec implementation. IPsec-Tools provides racoon, an IKE daemon; libipsec,
+a PFKey implementation; and setkey, a security policy and security
+association database configuration utility.
+
+%prep
+%setup -q
+
+%build
+./configure --prefix=/usr --sysconfdir=/etc --exec-prefix=/ --mandir=%{_mandir} --libdir=/%{_lib}
+make
+
+%install
+rm -rf %{buildroot}
+mkdir %{buildroot}
+make install DESTDIR=%{buildroot}
+
+%post -p /sbin/ldconfig  
+
+%postun -p /sbin/ldconfig 
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%defattr(-,root,root)
+%doc NEWS README ChangeLog
+%dir %{_sysconfdir}/racoon
+%config %{_sysconfdir}/racoon/*
+/sbin/*
+/%{_lib}/*
+%{_includedir}/*
+%{_mandir}/man[358]/*
+%{_sbindir}/racoon
+
+%changelog
+* Fri Mar 07 2003 Derek Atkins <derek@ihtfp.com> 0.2.1-1
+- Insert into code base.  Dynamically generate the version string.
+
+* Fri Mar 07 2003 Chris Ricker <kaboom@gatech.edu> 0.2.1-1
+- Rev to 0.2.1 release
+- Remove unneeded patch
+
+* Thu Mar 06 2003 Chris Ricker <kaboom@gatech.edu> 0.2-1
+- initial package
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/.cvsignore	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,3 @@
+Makefile
+Makefile.in
+ipsec-tools.spec
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/Makefile.am	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,15 @@
+EXTRA_DIST = ipsec-tools.spec.in racoon.init sysconfig.racoon
+
+all-local: ipsec-tools.spec
+
+## We borrow guile's convention and use @-...-@ as the substitution
+## brackets here, instead of the usual @...@.  This prevents autoconf
+## from substituting the values directly into the left-hand sides of
+## the sed substitutions.  *sigh*
+ipsec-tools.spec: ipsec-tools.spec.in Makefile
+	rm -f $@.tmp
+	sed < $< > $@.tmp \
+	    -e 's:@-VERSION-@:${VERSION}:'
+	mv $@.tmp $@
+
+CLEANFILES = ipsec-tools.spec
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/ipsec-tools.spec.in	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,110 @@
+#
+# spec file for package ipsec-tools
+#
+# Copyright (c) 2004 SUSE LINUX AG, Nuernberg, Germany.
+# This file and all modifications and additions to the pristine
+# package are under the same license as the package itself.
+#
+# Please submit bugfixes or comments via http://www.suse.de/feedback/
+#
+
+# norootforbuild
+# neededforbuild  kernel-source openssl openssl-devel readline-devel
+
+BuildRequires: aaa_base acl attr bash bind-utils bison bzip2 coreutils cpio cpp cracklib cvs cyrus-sasl db devs diffutils e2fsprogs file filesystem fillup findutils flex gawk gdbm-devel glibc glibc-devel glibc-locale gpm grep groff gzip info insserv less libacl libattr libgcc libselinux libstdc++ libxcrypt libzio m4 make man mktemp module-init-tools ncurses ncurses-devel net-tools netcfg openldap2-client openssl pam pam-modules patch permissions popt procinfo procps psmisc pwdutils rcs readline sed strace syslogd sysvinit tar tcpd texinfo timezone unzip util-linux vim zlib zlib-devel autoconf automake binutils gcc gdbm gettext kernel-source libtool openssl-devel perl readline-devel rpm
+
+Name:         ipsec-tools
+Version:      @-VERSION-@
+Release:      0
+License:      Other License(s), see package, BSD
+Group:        Productivity/Networking/Security
+Provides:     racoon
+PreReq:       %insserv_prereq %fillup_prereq
+Autoreqprov:  on
+Summary:      IPsec Utilities
+Source:       http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-%{version}.tar.bz2
+Source1:      racoon.init
+Source2:      sysconfig.racoon
+URL:          http://ipsec-tools.sourceforge.net/
+Prefix:       /usr
+BuildRoot:    %{_tmppath}/%{name}-%{version}-build
+
+%description
+This is the IPsec-Tools package.  This package is needed to really make
+use of the IPsec functionality in the version 2.5 and 2.6 Linux
+kernels.  This package builds:
+
+- libipsec, a PFKeyV2 library
+
+- setkey, a program to directly manipulate policies and SAs
+
+- racoon, an IKEv1 keying daemon
+
+These sources can be found at the IPsec-Tools home page at:
+http://ipsec-tools.sourceforge.net/
+
+
+
+Authors:
+--------
+    Derek Atkins  <derek@ihtfp.com>
+    Michal Ludvig <mludvig@suse.cz>
+
+%prep
+%setup
+
+%build
+%{suse_update_config -f . src/racoon}
+CFLAGS="$RPM_OPT_FLAGS" \
+./configure --prefix=/usr --disable-shared \
+	--mandir=%{_mandir} --infodir=%{_infodir} --libdir=%{_libdir} \
+	--libexecdir=%{_libdir} --sysconfdir=/etc/racoon \
+	--sharedstatedir=/var/run --localstatedir=/var \
+	--enable-dpd --enable-hybrid --enable-frag
+make 
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/etc/init.d
+install -m 0755 $RPM_SOURCE_DIR/racoon.init $RPM_BUILD_ROOT/etc/init.d/racoon
+ln -sf /etc/init.d/racoon $RPM_BUILD_ROOT/usr/sbin/rcracoon
+mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
+install -m 644 $RPM_SOURCE_DIR/sysconfig.racoon $RPM_BUILD_ROOT/var/adm/fillup-templates/
+mkdir -p $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
+cp -rv src/racoon/samples $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
+cp -v src/setkey/sample* $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
+
+%post
+%{fillup_and_insserv racoon}
+
+%postun
+%{insserv_cleanup}
+
+%clean
+if test ! -z "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != "/"; then
+  rm -rf $RPM_BUILD_ROOT
+fi
+
+%files
+%defattr(-,root,root)
+%dir /etc/racoon
+%config(noreplace) /etc/racoon/psk.txt
+%config(noreplace) /etc/racoon/racoon.conf
+%config(noreplace) /etc/racoon/setkey.conf
+%config /etc/init.d/racoon
+/usr/sbin/rcracoon
+%dir /usr/include/libipsec/
+%doc /usr/share/doc/packages/%{name}/
+/var/adm/fillup-templates/sysconfig.racoon
+/usr/include/libipsec/libpfkey.h
+/usr/%{_lib}/libipsec.a
+/usr/%{_lib}/libipsec.la
+/usr/sbin/racoon
+/usr/sbin/racoonctl
+/usr/sbin/setkey
+/usr/sbin/plainrsa-gen
+%{_mandir}/man*/*
+
+%changelog -n ipsec-tools
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/racoon.init	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,168 @@
+#! /bin/sh
+# Copyright (c) 2001-2002 SuSE GmbH Nuernberg, Germany.
+#
+# Author: Michal Ludvig <feedback@suse.de>, 2004
+#
+# /etc/init.d/ipsec-tools
+#   and its symbolic link
+# /usr/sbin/rcipsec-tools
+#
+# System startup script for the IPsec key management daemon
+#
+### BEGIN INIT INFO
+# Provides:       racoon
+# Required-Start: $remote_fs $named $syslog
+# Required-Stop:  $remote_fs $named $syslog
+# Default-Start:  3 5
+# Default-Stop:   0 1 2 6
+# Description:    IPsec key management daemon
+### END INIT INFO
+
+SETKEY="IPsec policies"
+SETKEY_BIN=/usr/sbin/setkey
+SETKEY_CONF=/etc/racoon/setkey.conf
+
+RACOON="IPsec IKE daemon (racoon)"
+RACOON_BIN=/usr/sbin/racoon
+RACOON_CONF=/etc/racoon/racoon.conf
+RACOON_PIDFILE=/var/run/racoon.pid
+
+test -x $SETKEY_BIN || exit 5
+test -x $RACOON_BIN || exit 5
+
+test -f /etc/sysconfig/racoon && . /etc/sysconfig/racoon
+
+# Shell functions sourced from /etc/rc.status:
+#      rc_check         check and set local and overall rc status
+#      rc_status        check and set local and overall rc status
+#      rc_status -v     ditto but be verbose in local rc status
+#      rc_status -v -r  ditto and clear the local rc status
+#      rc_failed        set local and overall rc status to failed
+#      rc_failed <num>  set local and overall rc status to <num><num>
+#      rc_reset         clear local rc status (overall remains)
+#      rc_exit          exit appropriate to overall rc status
+. /etc/rc.status
+
+# First reset status of this service
+rc_reset
+
+# Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+# 
+# Note that starting an already running service, stopping
+# or restarting a not-running service as well as the restart
+# with force-reload (in case signalling is not supported) are
+# considered a success.
+
+case "$1" in
+    start)
+	# Setting up SPD policies is not required.
+	if [ -f $SETKEY_CONF ]; then
+		echo -n "Setting up $SETKEY"
+		$SETKEY_BIN $SETKEY_OPTIONS -f $SETKEY_CONF
+		rc_status -v
+		rc_reset
+	fi
+	
+	echo -n "Starting $RACOON "
+	## If there is no conf file, skip starting of ddtd
+	## and return with "program not configured"
+	if ! [ -f $RACOON_CONF ]; then
+		echo -e -n "... no configuration file found"
+		rc_status -s
+		# service is not configured
+		rc_failed 6
+		rc_exit
+	fi
+
+	# startproc should return 0, even if service is 
+	# already running to match LSB spec.
+	startproc $RACOON_BIN $RACOON_OPTIONS -f $RACOON_CONF
+	rc_status -v
+	;;
+
+    stop)
+	echo -n "Shutting down $RACOON"
+	## Stop daemon with killproc(8) and if this fails
+	## set echo the echo return value.
+
+	killproc -p $RACOON_PIDFILE -TERM $RACOON_BIN
+
+	# Remember status and be verbose
+	rc_status -v
+	rc_reset
+
+	# Flush SPD policies if required
+	if [ -n "$SETKEY_FLUSH_OPTIONS" ]; then
+		echo -n "Flushing $SETKEY"
+		$SETKEY_BIN $SETKEY_FLUSH_OPTIONS
+		rc_status -v
+	fi
+	;;
+    try-restart)
+	## Stop the service and if this succeeds (i.e. the 
+	## service was running before), start it again.
+	$0 stop  &&  $0 start
+
+	# Remember status and be quiet
+	rc_status
+	;;
+    restart)
+	## Stop the service and regardless of whether it was
+	## running or not, start it again.
+	$0 stop
+	$0 start
+
+	# Remember status and be quiet
+	rc_status
+	;;
+    force-reload)
+	## Signal the daemon to reload its config. Most daemons
+	## do this on signal 1 (SIGHUP).
+	## If it does not support it, restart.
+
+	echo -n "Reload service $RACOON"
+	killproc -p $RACOON_PIDFILE -HUP $RACOON_BIN
+	rc_status -v
+	;;
+    reload)
+	## Like force-reload, but if daemon does not support
+	## signalling, do nothing (!)
+
+	echo -n "Reload service $RACOON"
+	killproc -p $RACOON_PIDFILE -HUP $RACOON_BIN
+	rc_status -v
+	;;
+    status)
+	echo -n "Checking for $RACOON: "
+	## Check status with checkproc(8), if process is running
+	## checkproc will return with exit status 0.
+
+	# Status has a slightly different for the status command:
+	# 0 - service running
+	# 1 - service dead, but /var/run/  pid  file exists
+	# 2 - service dead, but /var/lock/ lock file exists
+	# 3 - service not running
+
+	checkproc -p $RACOON_PIDFILE $RACOON_BIN
+	rc_status -v
+	;;
+    probe)
+	## Optional: Probe for the necessity of a reload,
+	## give out the argument which is required for a reload.
+
+	test "$RACOON_CONF" -nt "$RACOON_PIDFILE" && echo reload
+	;;
+    *)
+	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
+	exit 1
+	;;
+esac
+rc_exit
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/sysconfig.racoon	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,24 @@
+## Path:	Network/IPsec
+## Description:	IPsec keying daemon (IKE)
+## Type:	string
+## Default:	"-v"
+# 
+# Start-up flags for the racoon dameon.
+#
+RACOON_OPTIONS="-v"
+
+## Path:	Network/IPsec
+## Description:	Tool for manipulation IPsec SPD and SA databases
+## Type:	string
+## Default:	""
+# 
+# Additional flags uset when inserting SPD rules.
+#
+SETKEY_OPTIONS=""
+
+## Type:	string
+## Default:	"-FP"
+# 
+# Flags to flush SPD on racoon exit.
+#
+SETKEY_FLUSH_OPTIONS="-FP"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/.cvsignore	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,2 @@
+Makefile
+Makefile.in
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/Makefile.am	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,1 @@
+SUBDIRS = @INCLUDE_GLIBC@ libipsec setkey racoon
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/.cvsignore	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,3 @@
+Makefile
+Makefile.in
+.includes
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,14 @@
+
+.includes: ${top_builddir}/config.status
+	ln -sf $(KERNEL_INCLUDE)/linux
+	touch .includes
+
+all: .includes
+
+EXTRA_DIST = \
+  glibc-bugs.h \
+  net/pfkeyv2.h \
+  netinet/ipsec.h \
+  sys/queue.h
+
+DISTCLEANFILES = .includes linux
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,10 @@
+#ifndef __GLIBC_BUGS_H__
+#define __GLIBC_BUGS_H__ 1
+
+#define _XOPEN_SOURCE 500
+#define _BSD_SOURCE
+
+#include <features.h>
+#include <sys/types.h>
+
+#endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,69 @@
+#ifndef __NET_PFKEYV2_H_
+#define __NET_PFKEYV2_H_ 1
+
+#include <stdint.h>
+#include <linux/pfkeyv2.h>
+
+/* Private allocations for authentication algorithms */
+#define SADB_AALG_SHA2_256		SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256		SADB_X_AALG_SHA2_256HMAC
+#define SADB_AALG_SHA2_384		SADB_X_AALG_SHA2_384HMAC
+#define SADB_X_AALG_SHA2_384		SADB_X_AALG_SHA2_384HMAC
+#define SADB_AALG_SHA2_512		SADB_X_AALG_SHA2_512HMAC
+#define SADB_X_AALG_SHA2_512		SADB_X_AALG_SHA2_512HMAC
+#define SADB_AALG_RIPEMD160HMAC		SADB_X_AALG_RIPEMD160HMAC
+#define SADB_X_AALG_MD5              249
+#define SADB_X_AALG_SHA              250
+
+/* private allocations - based on RFC2407/IANA assignment */
+#define SADB_X_EALG_CAST128CBC	5	/* SADB_X_EALG_CASTCBC? == 6 */
+#define SADB_X_EALG_RIJNDAELCBC		SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AES			SADB_X_EALG_AESCBC
+
+
+#define SADB_X_CALG_NONE	0
+#define SADB_X_CALG_OUI		1
+#define SADB_X_CALG_DEFLATE	2
+#define SADB_X_CALG_LZS		3
+#define SADB_X_CALG_MAX		4
+
+
+#define SADB_X_EXT_NONE		0x0000	/* i.e. new format. */
+#define SADB_X_EXT_OLD		0x0001	/* old format. */
+
+#define SADB_X_EXT_IV4B		0x0010	/* IV length of 4 bytes in use */
+#define SADB_X_EXT_DERIV	0x0020	/* DES derived */
+#define SADB_X_EXT_CYCSEQ	0x0040	/* allowing to cyclic sequence. */
+
+	/* three of followings are exclusive flags each them */
+#define SADB_X_EXT_PSEQ		0x0000	/* sequencial padding for ESP */
+#define SADB_X_EXT_PRAND	0x0100	/* random padding for ESP */
+#define SADB_X_EXT_PZERO	0x0200	/* zero padding for ESP */
+#define SADB_X_EXT_PMASK	0x0300	/* mask for padding flag */
+
+#define SADB_X_EXT_RAWCPI	0x0080	/* use well known CPI (IPComp) */
+
+
+#define PFKEY_SOFT_LIFETIME_RATE	80
+
+#define SADB_X_LIFETIME_ALLOCATIONS	0
+#define SADB_X_LIFETIME_BYTES		1
+#define SADB_X_LIFETIME_ADDTIME		2
+#define SADB_X_LIFETIME_USETIME		3
+
+
+#define PFKEY_ALIGN8(a) (1 + (((a) - 1) | (8 - 1)))
+#define	PFKEY_EXTLEN(msg) \
+	PFKEY_UNUNIT64(((struct sadb_ext *)(msg))->sadb_ext_len)
+#define PFKEY_ADDR_PREFIX(ext) \
+	(((struct sadb_address *)(ext))->sadb_address_prefixlen)
+#define PFKEY_ADDR_PROTO(ext) \
+	(((struct sadb_address *)(ext))->sadb_address_proto)
+#define PFKEY_ADDR_SADDR(ext) \
+	((struct sockaddr *)((caddr_t)(ext) + sizeof(struct sadb_address)))
+
+/* in 64bits */
+#define	PFKEY_UNUNIT64(a)	((a) << 3)
+#define	PFKEY_UNIT64(a)		((a) >> 3)
+
+#endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,2 @@
+#include <net/pfkeyv2.h>
+#include <linux/ipsec.h>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,452 @@
+/*
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)queue.h	8.5 (Berkeley) 8/20/94
+ * $FreeBSD: src/sys/sys/queue.h,v 1.58 2004/04/07 04:19:49 imp Exp $
+ *
+ * 04/24/2004    Backport to v1.45 functionality for ipsec-tools
+ *               Heiko Hund <heiko@ist.eigentlich.net>
+ */
+
+#ifndef _SYS_QUEUE_H_
+#define _SYS_QUEUE_H_
+
+//#include <sys/cdefs.h>
+
+/*
+ * This file defines four types of data structures: singly-linked lists,
+ * singly-linked tail queues, lists and tail queues.
+ *
+ * A singly-linked list is headed by a single forward pointer. The elements
+ * are singly linked for minimum space and pointer manipulation overhead at
+ * the expense of O(n) removal for arbitrary elements. New elements can be
+ * added to the list after an existing element or at the head of the list.
+ * Elements being removed from the head of the list should use the explicit
+ * macro for this purpose for optimum efficiency. A singly-linked list may
+ * only be traversed in the forward direction.  Singly-linked lists are ideal
+ * for applications with large datasets and few or no removals or for
+ * implementing a LIFO queue.
+ *
+ * A singly-linked tail queue is headed by a pair of pointers, one to the
+ * head of the list and the other to the tail of the list. The elements are
+ * singly linked for minimum space and pointer manipulation overhead at the
+ * expense of O(n) removal for arbitrary elements. New elements can be added
+ * to the list after an existing element, at the head of the list, or at the
+ * end of the list. Elements being removed from the head of the tail queue
+ * should use the explicit macro for this purpose for optimum efficiency.
+ * A singly-linked tail queue may only be traversed in the forward direction.
+ * Singly-linked tail queues are ideal for applications with large datasets
+ * and few or no removals or for implementing a FIFO queue.
+ *
+ * A list is headed by a single forward pointer (or an array of forward
+ * pointers for a hash table header). The elements are doubly linked
+ * so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before
+ * or after an existing element or at the head of the list. A list
+ * may only be traversed in the forward direction.
+ *
+ * A tail queue is headed by a pair of pointers, one to the head of the
+ * list and the other to the tail of the list. The elements are doubly
+ * linked so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before or
+ * after an existing element, at the head of the list, or at the end of
+ * the list. A tail queue may be traversed in either direction.
+ *
+ * For details on the use of these macros, see the queue(3) manual page.
+ *
+ *
+ *			SLIST	LIST	STAILQ	TAILQ
+ * _HEAD		+	+	+	+
+ * _HEAD_INITIALIZER	+	+	+	+
+ * _ENTRY		+	+	+	+
+ * _INIT		+	+	+	+
+ * _EMPTY		+	+	+	+
+ * _FIRST		+	+	+	+
+ * _NEXT		+	+	+	+
+ * _PREV		-	-	-	+
+ * _LAST		-	-	+	+
+ * _FOREACH		+	+	+	+
+ * _FOREACH_REVERSE	-	-	-	+
+ * _INSERT_HEAD		+	+	+	+
+ * _INSERT_BEFORE	-	+	-	+
+ * _INSERT_AFTER	+	+	+	+
+ * _INSERT_TAIL		-	-	+	+
+ * _REMOVE_HEAD		+	-	+	-
+ * _REMOVE		+	+	+	+
+ *
+ */
+
+/*
+ * Singly-linked List declarations.
+ */
+#define	SLIST_HEAD(name, type)						\
+struct name {								\
+	struct type *slh_first;	/* first element */			\
+}
+
+#define	SLIST_HEAD_INITIALIZER(head)					\
+	{ NULL }
+ 
+#define	SLIST_ENTRY(type)						\
+struct {								\
+	struct type *sle_next;	/* next element */			\
+}
+ 
+/*
+ * Singly-linked List functions.
+ */
+#define	SLIST_EMPTY(head)	((head)->slh_first == NULL)
+
+#define	SLIST_FIRST(head)	((head)->slh_first)
+
+#define	SLIST_FOREACH(var, head, field)					\
+	for ((var) = SLIST_FIRST((head));				\
+	    (var);							\
+	    (var) = SLIST_NEXT((var), field))
+
+#define	SLIST_INIT(head) do {						\
+	SLIST_FIRST((head)) = NULL;					\
+} while (0)
+
+#define	SLIST_INSERT_AFTER(slistelm, elm, field) do {			\
+	SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field);	\
+	SLIST_NEXT((slistelm), field) = (elm);				\
+} while (0)
+
+#define	SLIST_INSERT_HEAD(head, elm, field) do {			\
+	SLIST_NEXT((elm), field) = SLIST_FIRST((head));			\
+	SLIST_FIRST((head)) = (elm);					\
+} while (0)
+
+#define	SLIST_NEXT(elm, field)	((elm)->field.sle_next)
+
+#define	SLIST_REMOVE(head, elm, type, field) do {			\
+	if (SLIST_FIRST((head)) == (elm)) {				\
+		SLIST_REMOVE_HEAD((head), field);			\
+	}								\
+	else {								\
+		struct type *curelm = SLIST_FIRST((head));		\
+		while (SLIST_NEXT(curelm, field) != (elm))		\
+			curelm = SLIST_NEXT(curelm, field);		\
+		SLIST_NEXT(curelm, field) =				\
+		    SLIST_NEXT(SLIST_NEXT(curelm, field), field);	\
+	}								\
+} while (0)
+
+#define	SLIST_REMOVE_HEAD(head, field) do {				\
+	SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field);	\
+} while (0)
+
+/*
+ * Singly-linked Tail queue declarations.
+ */
+#define	STAILQ_HEAD(name, type)						\
+struct name {								\
+	struct type *stqh_first;/* first element */			\
+	struct type **stqh_last;/* addr of last next element */		\
+}
+
+#define	STAILQ_HEAD_INITIALIZER(head)					\
+	{ NULL, &(head).stqh_first }
+
+#define	STAILQ_ENTRY(type)						\
+struct {								\
+	struct type *stqe_next;	/* next element */			\
+}
+
+/*
+ * Singly-linked Tail queue functions.
+ */
+#define	STAILQ_EMPTY(head)	((head)->stqh_first == NULL)
+
+#define	STAILQ_FIRST(head)	((head)->stqh_first)
+
+#define	STAILQ_FOREACH(var, head, field)				\
+	for((var) = STAILQ_FIRST((head));				\
+	   (var);							\
+	   (var) = STAILQ_NEXT((var), field))
+
+#define	STAILQ_INIT(head) do {						\
+	STAILQ_FIRST((head)) = NULL;					\
+	(head)->stqh_last = &STAILQ_FIRST((head));			\
+} while (0)
+
+#define	STAILQ_INSERT_AFTER(head, tqelm, elm, field) do {		\
+	if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
+		(head)->stqh_last = &STAILQ_NEXT((elm), field);		\
+	STAILQ_NEXT((tqelm), field) = (elm);				\
+} while (0)
+
+#define	STAILQ_INSERT_HEAD(head, elm, field) do {			\
+	if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL)	\
+		(head)->stqh_last = &STAILQ_NEXT((elm), field);		\
+	STAILQ_FIRST((head)) = (elm);					\
+} while (0)
+
+#define	STAILQ_INSERT_TAIL(head, elm, field) do {			\
+	STAILQ_NEXT((elm), field) = NULL;				\
+	*(head)->stqh_last = (elm);					\
+	(head)->stqh_last = &STAILQ_NEXT((elm), field);			\
+} while (0)
+
+#define	STAILQ_LAST(head, type, field)					\
+	(STAILQ_EMPTY(head) ?						\
+		NULL :							\
+	        ((struct type *)					\
+		((char *)((head)->stqh_last) - __offsetof(struct type, field))))
+
+#define	STAILQ_NEXT(elm, field)	((elm)->field.stqe_next)
+
+#define	STAILQ_REMOVE(head, elm, type, field) do {			\
+	if (STAILQ_FIRST((head)) == (elm)) {				\
+		STAILQ_REMOVE_HEAD(head, field);			\
+	}								\
+	else {								\
+		struct type *curelm = STAILQ_FIRST((head));		\
+		while (STAILQ_NEXT(curelm, field) != (elm))		\
+			curelm = STAILQ_NEXT(curelm, field);		\
+		if ((STAILQ_NEXT(curelm, field) =			\
+		     STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
+			(head)->stqh_last = &STAILQ_NEXT((curelm), field);\
+	}								\
+} while (0)
+
+#define	STAILQ_REMOVE_HEAD(head, field) do {				\
+	if ((STAILQ_FIRST((head)) =					\
+	     STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL)		\
+		(head)->stqh_last = &STAILQ_FIRST((head));		\
+} while (0)
+
+#define	STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do {			\
+	if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL)	\
+		(head)->stqh_last = &STAILQ_FIRST((head));		\
+} while (0)
+
+/*
+ * List declarations.
+ */
+#define	LIST_HEAD(name, type)						\
+struct name {								\
+	struct type *lh_first;	/* first element */			\
+}
+
+#define	LIST_HEAD_INITIALIZER(head)					\
+	{ NULL }
+
+#define	LIST_ENTRY(type)						\
+struct {								\
+	struct type *le_next;	/* next element */			\
+	struct type **le_prev;	/* address of previous next element */	\
+}
+
+/*
+ * List functions.
+ */
+
+#define	LIST_EMPTY(head)	((head)->lh_first == NULL)
+
+#define	LIST_FIRST(head)	((head)->lh_first)
+
+#define	LIST_FOREACH(var, head, field)					\
+	for ((var) = LIST_FIRST((head));				\
+	    (var);							\
+	    (var) = LIST_NEXT((var), field))
+
+#define	LIST_INIT(head) do {						\
+	LIST_FIRST((head)) = NULL;					\
+} while (0)
+
+#define	LIST_INSERT_AFTER(listelm, elm, field) do {			\
+	if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
+		LIST_NEXT((listelm), field)->field.le_prev =		\
+		    &LIST_NEXT((elm), field);				\
+	LIST_NEXT((listelm), field) = (elm);				\
+	(elm)->field.le_prev = &LIST_NEXT((listelm), field);		\
+} while (0)
+
+#define	LIST_INSERT_BEFORE(listelm, elm, field) do {			\
+	(elm)->field.le_prev = (listelm)->field.le_prev;		\
+	LIST_NEXT((elm), field) = (listelm);				\
+	*(listelm)->field.le_prev = (elm);				\
+	(listelm)->field.le_prev = &LIST_NEXT((elm), field);		\
+} while (0)
+
+#define	LIST_INSERT_HEAD(head, elm, field) do {				\
+	if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL)	\
+		LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
+	LIST_FIRST((head)) = (elm);					\
+	(elm)->field.le_prev = &LIST_FIRST((head));			\
+} while (0)
+
+#define	LIST_NEXT(elm, field)	((elm)->field.le_next)
+
+#define	LIST_REMOVE(elm, field) do {					\
+	if (LIST_NEXT((elm), field) != NULL)				\
+		LIST_NEXT((elm), field)->field.le_prev = 		\
+		    (elm)->field.le_prev;				\
+	*(elm)->field.le_prev = LIST_NEXT((elm), field);		\
+} while (0)
+
+/*
+ * Tail queue declarations.
+ */
+#define	TAILQ_HEAD(name, type)						\
+struct name {								\
+	struct type *tqh_first;	/* first element */			\
+	struct type **tqh_last;	/* addr of last next element */		\
+}
+
+#define	TAILQ_HEAD_INITIALIZER(head)					\
+	{ NULL, &(head).tqh_first }
+
+#define	TAILQ_ENTRY(type)						\
+struct {								\
+	struct type *tqe_next;	/* next element */			\
+	struct type **tqe_prev;	/* address of previous next element */	\
+}
+
+/*
+ * Tail queue functions.
+ */
+#define	TAILQ_EMPTY(head)	((head)->tqh_first == NULL)
+
+#define	TAILQ_FIRST(head)	((head)->tqh_first)
+
+#define	TAILQ_FOREACH(var, head, field)					\
+	for ((var) = TAILQ_FIRST((head));				\
+	    (var);							\
+	    (var) = TAILQ_NEXT((var), field))
+
+#define	TAILQ_FOREACH_REVERSE(var, head, headname, field)		\
+	for ((var) = TAILQ_LAST((head), headname);			\
+	    (var);							\
+	    (var) = TAILQ_PREV((var), headname, field))
+
+#define	TAILQ_INIT(head) do {						\
+	TAILQ_FIRST((head)) = NULL;					\
+	(head)->tqh_last = &TAILQ_FIRST((head));			\
+} while (0)
+
+#define	TAILQ_INSERT_AFTER(head, listelm, elm, field) do {		\
+	if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
+		TAILQ_NEXT((elm), field)->field.tqe_prev = 		\
+		    &TAILQ_NEXT((elm), field);				\
+	else								\
+		(head)->tqh_last = &TAILQ_NEXT((elm), field);		\
+	TAILQ_NEXT((listelm), field) = (elm);				\
+	(elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field);		\
+} while (0)
+
+#define	TAILQ_INSERT_BEFORE(listelm, elm, field) do {			\
+	(elm)->field.tqe_prev = (listelm)->field.tqe_prev;		\
+	TAILQ_NEXT((elm), field) = (listelm);				\
+	*(listelm)->field.tqe_prev = (elm);				\
+	(listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field);		\
+} while (0)
+
+#define	TAILQ_INSERT_HEAD(head, elm, field) do {			\
+	if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL)	\
+		TAILQ_FIRST((head))->field.tqe_prev =			\
+		    &TAILQ_NEXT((elm), field);				\
+	else								\
+		(head)->tqh_last = &TAILQ_NEXT((elm), field);		\
+	TAILQ_FIRST((head)) = (elm);					\
+	(elm)->field.tqe_prev = &TAILQ_FIRST((head));			\
+} while (0)
+
+#define	TAILQ_INSERT_TAIL(head, elm, field) do {			\
+	TAILQ_NEXT((elm), field) = NULL;				\
+	(elm)->field.tqe_prev = (head)->tqh_last;			\
+	*(head)->tqh_last = (elm);					\
+	(head)->tqh_last = &TAILQ_NEXT((elm), field);			\
+} while (0)
+
+#define	TAILQ_LAST(head, headname)					\
+	(*(((struct headname *)((head)->tqh_last))->tqh_last))
+
+#define	TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
+
+#define	TAILQ_PREV(elm, headname, field)				\
+	(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
+
+#define	TAILQ_REMOVE(head, elm, field) do {				\
+	if ((TAILQ_NEXT((elm), field)) != NULL)				\
+		TAILQ_NEXT((elm), field)->field.tqe_prev = 		\
+		    (elm)->field.tqe_prev;				\
+	else								\
+		(head)->tqh_last = (elm)->field.tqe_prev;		\
+	*(elm)->field.tqe_prev = TAILQ_NEXT((elm), field);		\
+} while (0)
+
+
+#ifdef _KERNEL
+
+/*
+ * XXX insque() and remque() are an old way of handling certain queues.
+ * They bogusly assumes that all queue heads look alike.
+ */
+
+struct quehead {
+	struct quehead *qh_link;
+	struct quehead *qh_rlink;
+};
+
+#ifdef	__GNUC__
+
+static __inline void
+insque(void *a, void *b)
+{
+	struct quehead *element = (struct quehead *)a,
+		 *head = (struct quehead *)b;
+
+	element->qh_link = head->qh_link;
+	element->qh_rlink = head;
+	head->qh_link = element;
+	element->qh_link->qh_rlink = element;
+}
+
+static __inline void
+remque(void *a)
+{
+	struct quehead *element = (struct quehead *)a;
+
+	element->qh_link->qh_rlink = element->qh_rlink;
+	element->qh_rlink->qh_link = element->qh_link;
+	element->qh_rlink = 0;
+}
+
+#else /* !__GNUC__ */
+
+void	insque __P((void *a, void *b));
+void	remque __P((void *a));
+
+#endif /* __GNUC__ */
+
+#endif /* _KERNEL */
+
+#endif /* !_SYS_QUEUE_H_ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/.cvsignore	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,9 @@
+policy_parse.c
+policy_parse.h
+policy_token.c
+Makefile
+Makefile.in
+.libs
+.deps
+*.la
+*.lo
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/Makefile.am	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,39 @@
+
+#bin_PROGRAMS = test-policy test-policy-priority
+lib_LTLIBRARIES = libipsec.la
+
+libipsecdir = $(includedir)/libipsec
+libipsec_HEADERS = libpfkey.h
+
+man3_MANS = ipsec_set_policy.3 ipsec_strerror.3
+
+AM_CFLAGS = @GLIBC_BUGS@
+AM_YFLAGS = -d -p __libipsec
+AM_LFLAGS = -P__libipsec -olex.yy.c
+
+libipsec_la_SOURCES = \
+  ipsec_dump_policy.c \
+  ipsec_get_policylen.c \
+  ipsec_strerror.c \
+  key_debug.c \
+  pfkey.c \
+  pfkey_dump.c \
+  policy_parse.y \
+  policy_token.l
+
+# version is current:revision:age.
+# See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
+libipsec_la_LDFLAGS = -version-info 0:0:0
+libipsec_la_LIBADD = $(LEXLIB)
+
+noinst_HEADERS = ipsec_strerror.h policy_parse.h
+
+#test_policy_SOURCES = test-policy.c
+#test_policy_LDFLAGS = libipsec.la
+
+#test_policy_priority_SOURCES = test-policy-priority.c
+#test_policy_priority_LDFLAGS = libipsec.la
+
+EXTRA_DIST = ${man3_MANS} test-policy.c
+
+DISTCLEANFILES = policy_parse.c policy_parse.h policy_token.c policy_token.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,387 @@
+/* $Id: ipsec_dump_policy.c,v 1.1.1.1 2005/02/12 11:11:23 manu Exp $ */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+
+#include <arpa/inet.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+#include "libpfkey.h"
+
+static const char *ipsp_dir_strs[] = {
+	"any", "in", "out", "fwd"
+};
+
+static const char *ipsp_policy_strs[] = {
+	"discard", "none", "ipsec", "entrust", "bypass",
+};
+
+static char *ipsec_dump_ipsecrequest __P((char *, size_t,
+	struct sadb_x_ipsecrequest *, size_t));
+static int set_addresses __P((char *, size_t, struct sockaddr *,
+	struct sockaddr *));
+static char *set_address __P((char *, size_t, struct sockaddr *));
+
+/*
+ * policy is sadb_x_policy buffer.
+ * Must call free() later.
+ * When delimiter == NULL, alternatively ' '(space) is applied.
+ */
+char *
+ipsec_dump_policy(policy, delimiter)
+	caddr_t policy;
+	char *delimiter;
+{
+	struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
+	struct sadb_x_ipsecrequest *xisr;
+	size_t off, buflen;
+	char *buf;
+	char isrbuf[1024];
+	char *newbuf;
+
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+	int32_t priority_offset;
+	char *priority_str;
+	char operator;
+#endif
+
+	/* sanity check */
+	if (policy == NULL)
+		return NULL;
+	if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
+		__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+		return NULL;
+	}
+
+	/* set delimiter */
+	if (delimiter == NULL)
+		delimiter = " ";
+
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+	if (xpl->sadb_x_policy_priority == 0)
+	{
+		priority_offset = 0;
+		priority_str = "";
+	}
+	/* find which constant the priority is closest to */
+	else if (xpl->sadb_x_policy_priority < 
+	         (u_int32_t) (PRIORITY_DEFAULT / 4) * 3)
+	{
+		priority_offset = xpl->sadb_x_policy_priority - PRIORITY_HIGH;
+		priority_str = "prio high";
+	}
+	else if (xpl->sadb_x_policy_priority >= 
+	         (u_int32_t) (PRIORITY_DEFAULT / 4) * 3 &&
+	         xpl->sadb_x_policy_priority < 
+	         (u_int32_t) (PRIORITY_DEFAULT / 4) * 5)
+	{
+		priority_offset = xpl->sadb_x_policy_priority - PRIORITY_DEFAULT;
+		priority_str = "prio def";
+	}
+	else
+	{
+		priority_offset = xpl->sadb_x_policy_priority - PRIORITY_LOW;
+		priority_str = "prio low";
+	}
+
+	/* fix sign to match the way it is input */
+	priority_offset *= -1;
+	if (priority_offset < 0)
+	{
+		operator = '-';
+		priority_offset *= -1;
+	}
+	else
+	{
+		operator = '+';
+	}
+#endif
+	
+	switch (xpl->sadb_x_policy_dir) {
+	case IPSEC_DIR_ANY:
+	case IPSEC_DIR_INBOUND:
+	case IPSEC_DIR_OUTBOUND:
+#ifdef HAVE_POLICY_FWD
+	case IPSEC_DIR_FWD:
+#endif
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_DIR;
+		return NULL;
+	}
+
+	switch (xpl->sadb_x_policy_type) {
+	case IPSEC_POLICY_DISCARD:
+	case IPSEC_POLICY_NONE:
+	case IPSEC_POLICY_IPSEC:
+	case IPSEC_POLICY_BYPASS:
+	case IPSEC_POLICY_ENTRUST:
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_POLICY;
+		return NULL;
+	}
+
+	buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir])
+		+ 1	/* space */
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+		+ strlen(priority_str)
+		+ ((priority_offset != 0) ? 13 : 0) /* [space operator space int] */
+		+ ((strlen(priority_str) != 0) ? 1 : 0) /* space */
+#endif
+		+ strlen(ipsp_policy_strs[xpl->sadb_x_policy_type])
+		+ 1;	/* NUL */
+
+	if ((buf = malloc(buflen)) == NULL) {
+		__ipsec_errcode = EIPSEC_NO_BUFS;
+		return NULL;
+	}
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+	if (priority_offset != 0)
+	{
+		snprintf(buf, buflen, "%s %s %c %u %s", 
+	    	ipsp_dir_strs[xpl->sadb_x_policy_dir], priority_str, operator, 
+			priority_offset, ipsp_policy_strs[xpl->sadb_x_policy_type]);
+	}
+	else if (strlen (priority_str) != 0)
+	{
+		snprintf(buf, buflen, "%s %s %s", 
+	    	ipsp_dir_strs[xpl->sadb_x_policy_dir], priority_str, 
+			ipsp_policy_strs[xpl->sadb_x_policy_type]);
+	}
+	else
+	{
+		snprintf(buf, buflen, "%s %s", 
+	    	ipsp_dir_strs[xpl->sadb_x_policy_dir],
+			ipsp_policy_strs[xpl->sadb_x_policy_type]);
+	}
+#else
+	snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
+	    ipsp_policy_strs[xpl->sadb_x_policy_type]);
+#endif
+
+	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
+		__ipsec_errcode = EIPSEC_NO_ERROR;
+		return buf;
+	}
+
+	/* count length of buffer for use */
+	off = sizeof(*xpl);
+	while (off < PFKEY_EXTLEN(xpl)) {
+		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+		off += xisr->sadb_x_ipsecrequest_len;
+	}
+
+	/* validity check */
+	if (off != PFKEY_EXTLEN(xpl)) {
+		__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
+		free(buf);
+		return NULL;
+	}
+
+	off = sizeof(*xpl);
+	while (off < PFKEY_EXTLEN(xpl)) {
+		int offset;
+		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+
+		if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
+		    PFKEY_EXTLEN(xpl) - off) == NULL) {
+			free(buf);
+			return NULL;
+		}
+
+		offset = strlen(buf);
+		buflen = offset + strlen(delimiter) + strlen(isrbuf) + 1;
+		newbuf = (char *)realloc(buf, buflen);
+		if (newbuf == NULL) {
+			__ipsec_errcode = EIPSEC_NO_BUFS;
+			free(buf);
+			return NULL;
+		}
+		buf = newbuf;
+		snprintf(buf+offset, buflen-offset, "%s%s", delimiter, isrbuf);
+
+		off += xisr->sadb_x_ipsecrequest_len;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return buf;
+}
+
+static char *
+ipsec_dump_ipsecrequest(buf, len, xisr, bound)
+	char *buf;
+	size_t len;
+	struct sadb_x_ipsecrequest *xisr;
+	size_t bound;	/* boundary */
+{
+	const char *proto, *mode, *level;
+	char abuf[NI_MAXHOST * 2 + 2];
+
+	if (xisr->sadb_x_ipsecrequest_len > bound) {
+		__ipsec_errcode = EIPSEC_INVAL_PROTO;
+		return NULL;
+	}
+
+	switch (xisr->sadb_x_ipsecrequest_proto) {
+	case IPPROTO_ESP:
+		proto = "esp";
+		break;
+	case IPPROTO_AH:
+		proto = "ah";
+		break;
+	case IPPROTO_IPCOMP:
+		proto = "ipcomp";
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_PROTO;
+		return NULL;
+	}
+
+	switch (xisr->sadb_x_ipsecrequest_mode) {
+	case IPSEC_MODE_ANY:
+		mode = "any";
+		break;
+	case IPSEC_MODE_TRANSPORT:
+		mode = "transport";
+		break;
+	case IPSEC_MODE_TUNNEL:
+		mode = "tunnel";
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_MODE;
+		return NULL;
+	}
+
+	abuf[0] = '\0';
+	if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
+		struct sockaddr *sa1, *sa2;
+		caddr_t p;
+
+		p = (caddr_t)(xisr + 1);
+		sa1 = (struct sockaddr *)p;
+		sa2 = (struct sockaddr *)(p + sysdep_sa_len(sa1));
+		if (sizeof(*xisr) + sysdep_sa_len(sa1) + sysdep_sa_len(sa2) !=
+		    xisr->sadb_x_ipsecrequest_len) {
+			__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+			return NULL;
+		}
+		if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
+			__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+			return NULL;
+		}
+	}
+
+	switch (xisr->sadb_x_ipsecrequest_level) {
+	case IPSEC_LEVEL_DEFAULT:
+		level = "default";
+		break;
+	case IPSEC_LEVEL_USE:
+		level = "use";
+		break;
+	case IPSEC_LEVEL_REQUIRE:
+		level = "require";
+		break;
+	case IPSEC_LEVEL_UNIQUE:
+		level = "unique";
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_LEVEL;
+		return NULL;
+	}
+
+	if (xisr->sadb_x_ipsecrequest_reqid == 0)
+		snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
+	else {
+		int ch;
+
+		if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
+			ch = '#';
+		else
+			ch = ':';
+		snprintf(buf, len, "%s/%s/%s/%s%c%u", proto, mode, abuf, level,
+		    ch, xisr->sadb_x_ipsecrequest_reqid);
+	}
+
+	return buf;
+}
+
+static int
+set_addresses(buf, len, sa1, sa2)
+	char *buf;
+	size_t len;
+	struct sockaddr *sa1;
+	struct sockaddr *sa2;
+{
+	char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
+
+	if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
+	    set_address(tmp2, sizeof(tmp2), sa2) == NULL)
+		return -1;
+	if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
+		return -1;
+	snprintf(buf, len, "%s-%s", tmp1, tmp2);
+	return 0;
+}
+
+static char *
+set_address(buf, len, sa)
+	char *buf;
+	size_t len;
+	struct sockaddr *sa;
+{
+	const int niflags = NI_NUMERICHOST;
+
+	if (len < 1)
+		return NULL;
+	buf[0] = '\0';
+	if (getnameinfo(sa, sysdep_sa_len(sa), buf, len, NULL, 0, niflags) != 0)
+		return NULL;
+	return buf;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,55 @@
+/*	$KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+
+
+#include <net/pfkeyv2.h>
+
+#include "ipsec_strerror.h"
+
+int
+ipsec_get_policylen(policy)
+	caddr_t policy;
+{
+	return policy ? PFKEY_EXTLEN(policy) : -1;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,316 @@
+.\"	$KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
+.\"
+.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 5, 1998
+.Dt IPSEC_SET_POLICY 3
+.Os KAME
+.Sh NAME
+.Nm ipsec_set_policy ,
+.Nm ipsec_get_policylen ,
+.Nm ipsec_dump_policy
+.Nd manipulate IPsec policy specification structure from readable string
+.\"
+.Sh LIBRARY
+.Lb libipsec
+.Sh SYNOPSIS
+.Fd #include <netinet6/ipsec.h>
+.Ft "char *"
+.Fn ipsec_set_policy "char *policy" "int len"
+.Ft int
+.Fn ipsec_get_policylen "char *buf"
+.Ft "char *"
+.Fn ipsec_dump_policy "char *buf" "char *delim"
+.Sh DESCRIPTION
+.Fn ipsec_set_policy
+generates IPsec policy specification structure, namely
+.Li struct sadb_x_policy
+and/or
+.Li struct sadb_x_ipsecrequest
+from human-readable policy specification.
+policy specification must be given as C string
+.Fa policy
+and length
+.Fa len
+of
+.Fa policy .
+.Fn ipsec_set_policy
+will return the buffer of IPsec policy specification structure.
+The buffer is dynamically allocated, and must be freed by the caller by calling
+.Xr free 3 .
+.Pp
+You may want the length of the generated buffer such when calling
+.Xr setsockopt 2 .
+.Fn ipsec_get_policylen
+will return the length.
+.Pp
+.Fn ipsec_dump_policy
+converts IPsec policy structure into readable form.
+Therefore,
+.Fn ipsec_dump_policy
+can be regarded as inverse conversion of
+.Fn ipsec_set_policy .
+.Fa buf
+points to an IPsec policy structure,
+.Li struct sadb_x_policy .
+.Fa delim
+is a delimiter string, which is usually a blank character.
+If you set
+.Fa delim
+to
+.Dv NULL ,
+single whitespace is assumed.
+.Fn ipsec_dump_policy
+returns pointer to dynamically allocated string.
+It is caller's responsibility to reclaim the region, by using
+.Xr free 3 .
+.Pp
+.Fa policy
+is formatted as either of the following:
+.Bl -tag  -width "discard"
+.It Ar direction [priority specification] Li discard
+.Ar direction
+must be
+.Li in
+,
+.Li out 
+or
+.Li fwd .
+.Ar direction
+specifies which direction the policy needs to be applied. Nonstandard 
+direction 
+.Ar fwd
+is substituted with 
+.Ar in
+on platforms which do not support forward policies.
+.Pp
+.Ar priority specification
+is used to control the placement of the policy within the SPD. Policy position
+is determined by 
+a signed integer where higher priorities indicate the policy is placed 
+closer to the beginning of the list and lower priorities indicate the 
+policy is placed closer to the end of the list. Policies with equal
+priorities are added at the end of the group of such policies.
+.Pp
+Priority can only
+be specified when libipsec has been compiled against kernel headers that
+support policy priorities (>= 2.6.6). It takes one of the following formats:
+.Bl -tag  -width "discard"
+.It Xo
+.Ar {priority,prio} offset
+.Xc
+.Ar offset
+is an integer in ranges -2147483647 .. 214783648.
+.It Xo
+.Ar {priority,prio} base {+,-} offset
+.Xc
+.Ar base
+is either
+.Li low (-1073741824),
+.Li def (0),
+or
+.Li high (1073741824)
+.Pp
+.Ar offset
+is an unsigned integer. It can be up to 1073741824 for 
+positive offsets, and up to 1073741823 for negative offsets.
+.El
+.Pp
+The interpretation of policy priority in these functions and the kernel DOES
+differ. The relationship between the two can be described as
+p(kernel) = 0x80000000 - p(func)
+.Pp
+With
+.Li discard
+policy, packets will be dropped if they match the policy.
+.It Ar direction [priority specification] Li entrust
+.Li entrust
+means to consult to SPD defined by
+.Xr setkey 8 .
+.It Ar direction [priority specification] Li bypass
+.Li bypass
+means to be bypassed the IPsec processing.
+.Pq packet will be transmitted in clear .
+This is for privileged socket.
+.It Xo
+.Ar direction
+.Ar [priority specification]
+.Li ipsec
+.Ar request ...
+.Xc
+.Li ipsec
+means that the matching packets are subject to IPsec processing.
+.Li ipsec
+can be followed by one or more
+.Ar request
+string, which is formatted as below:
+.Bl -tag  -width "discard"
+.It Xo
+.Ar protocol
+.Li /
+.Ar mode
+.Li /
+.Ar src
+.Li -
+.Ar dst
+.Op Ar /level
+.Xc
+.Ar protocol
+is either
+.Li ah ,
+.Li esp
+or
+.Li ipcomp .
+.Pp
+.Ar mode
+is either
+.Li transport
+or
+.Li tunnel .
+.Pp
+.Ar src
+and
+.Ar dst
+specifies IPsec endpoint.
+.Ar src
+always means
+.Dq sending node
+and
+.Ar dst
+always means
+.Dq receiving node .
+Therefore, when
+.Ar direction
+is
+.Li in ,
+.Ar dst
+is this node
+and
+.Ar src
+is the other node
+.Pq peer .
+If
+.Ar mode
+is
+.Li transport ,
+Both
+.Ar src
+and
+.Ar dst
+can be omited. 
+.Pp
+.Ar level
+must be set to one of the following:
+.Li default , use , require
+or
+.Li unique .
+.Li default
+means that the kernel should consult the system default policy
+defined by
+.Xr sysctl 8 ,
+such as
+.Li net.inet.ipsec.esp_trans_deflev .
+See
+.Xr ipsec 4
+regarding the system default.
+.Li use
+means that a relevant SA can be used when available,
+since the kernel may perform IPsec operation against packets when possible.
+In this case, packets can be transmitted in clear
+.Pq when SA is not available ,
+or encrypted
+.Pq when SA is available .
+.Li require
+means that a relevant SA is required,
+since the kernel must perform IPsec operation against packets.
+.Li unique
+is the same as
+.Li require ,
+but adds the restriction that the SA for outbound traffic is used
+only for this policy.
+You may need the identifier in order to relate the policy and the SA
+when you define the SA by manual keying.
+You can put the decimal number as the identifier after
+.Li unique
+like
+.Li unique : number .
+.Li number
+must be between 1 and 32767 .
+If the
+.Ar request
+string is kept unambiguous,
+.Ar level
+and slash prior to
+.Ar level
+can be omitted.
+However, it is encouraged to specify them explicitly
+to avoid unintended behaviors.
+If
+.Ar level
+is omitted, it will be interpreted as
+.Li default .
+.El
+.Pp
+Note that there is a bit difference of specification from
+.Xr setkey 8 .
+In specification by
+.Xr setkey 8 ,
+both entrust and bypass are not used.
+Refer to
+.Xr setkey 8
+for detail.
+.Pp
+Here are several examples
+.Pq long lines are wrapped for readability :
+.Bd -literal -offset indent
+in discard
+out ipsec esp/transport//require
+in ipsec ah/transport//require
+out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
+in ipsec ipcomp/transport//use
+        esp/transport//use
+.Ed
+.El
+.Sh RETURN VALUES
+.Fn ipsec_set_policy
+returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
+.Fn ipsec_get_policylen
+returns with positive value
+.Pq meaning the buffer size
+on success, and negative value on errors.
+.Fn ipsec_dump_policy
+returns a pointer to dynamically allocated region on success,
+and
+.Dv NULL
+on errors.
+.Sh SEE ALSO
+.Xr ipsec_strerror 3 ,
+.Xr ipsec 4 ,
+.Xr setkey 8
+.Sh HISTORY
+The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,84 @@
+.\"	$KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
+.\"
+.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 6, 1998
+.Dt IPSEC_STRERROR 3
+.Os KAME
+.\"
+.Sh NAME
+.Nm ipsec_strerror
+.Nd error message for IPsec policy manipulation library
+.\"
+.Sh SYNOPSIS
+.Fd #include <netinet6/ipsec.h>
+.Ft "const char *"
+.Fn ipsec_strerror
+.\"
+.Sh DESCRIPTION
+.Pa netinet6/ipsec.h
+declares
+.Pp
+.Dl extern int ipsec_errcode;
+.Pp
+which is used to pass an error code from IPsec policy manipulation library
+to an user program.
+.Fn ipsec_strerror
+can be used to obtain the error message string for the error code.
+.Pp
+The array pointed to is not to be modified by the program.
+Since
+.Fn ipsec_strerror
+uses
+.Xr strerror 3
+as underlying function, calling
+.Xr strerror 3
+after
+.Fn ipsec_strerror
+would make the return value from
+.Fn ipsec_strerror
+invalid, or overwritten.
+.\"
+.Sh RETURN VALUES
+.Fn ipsec_strerror
+always return a pointer to C string.
+The C string must not be overwritten by user programs.
+.\"
+.Sh SEE ALSO
+.Xr ipsec_set_policy 3
+.\"
+.Sh HISTORY
+.Fn ipsec_strerror
+first appeared in WIDE/KAME IPv6 protocol stack kit.
+.\"
+.Sh BUGS
+.Fn ipsec_strerror
+will return its result which may be overwritten by subsequent calls.
+.Pp
+.Va ipsec_errcode
+is not thread safe.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,98 @@
+/*	$KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <string.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+
+#include "ipsec_strerror.h"
+
+int __ipsec_errcode;
+
+static const char *ipsec_errlist[] = {
+"Success",					/*EIPSEC_NO_ERROR*/
+"Not supported",				/*EIPSEC_NOT_SUPPORTED*/
+"Invalid argument",				/*EIPSEC_INVAL_ARGUMENT*/
+"Invalid sadb message",				/*EIPSEC_INVAL_SADBMSG*/
+"Invalid version",				/*EIPSEC_INVAL_VERSION*/
+"Invalid security policy",			/*EIPSEC_INVAL_POLICY*/
+"Invalid address specification",		/*EIPSEC_INVAL_ADDRESS*/
+"Invalid ipsec protocol",			/*EIPSEC_INVAL_PROTO*/
+"Invalid ipsec mode",				/*EIPSEC_INVAL_MODE*/
+"Invalid ipsec level",				/*EIPSEC_INVAL_LEVEL*/
+"Invalid SA type",				/*EIPSEC_INVAL_SATYPE*/
+"Invalid message type",				/*EIPSEC_INVAL_MSGTYPE*/
+"Invalid extension type",			/*EIPSEC_INVAL_EXTTYPE*/
+"Invalid algorithm type",			/*EIPSEC_INVAL_ALGS*/
+"Invalid key length",				/*EIPSEC_INVAL_KEYLEN*/
+"Invalid address family",			/*EIPSEC_INVAL_FAMILY*/
+"Invalid prefix length",			/*EIPSEC_INVAL_PREFIXLEN*/
+"Invalid direciton",				/*EIPSEC_INVAL_DIR*/
+"SPI range violation",				/*EIPSEC_INVAL_SPI*/
+"No protocol specified",			/*EIPSEC_NO_PROTO*/
+"No algorithm specified",			/*EIPSEC_NO_ALGS*/
+"No buffers available",				/*EIPSEC_NO_BUFS*/
+"Must get supported algorithms list first",	/*EIPSEC_DO_GET_SUPP_LIST*/
+"Protocol mismatch",				/*EIPSEC_PROTO_MISMATCH*/
+"Family mismatch",				/*EIPSEC_FAMILY_MISMATCH*/
+"Too few arguments",				/*EIPSEC_FEW_ARGUMENTS*/
+NULL,						/*EIPSEC_SYSTEM_ERROR*/
+"Priority offset not in valid range [-2147483647, 2147483648]",	/*EIPSEC_INVAL_PRIORITY_OFFSET*/
+"Priority offset from base not in valid range [0, 1073741823] for negative offsets and [0, 1073741824] for positive offsets", /* EIPSEC_INVAL_PRIORITY_OFFSET */
+"Policy priority not compiled in",	/*EIPSEC_PRIORITY_NOT_COMPILED*/
+"Unknown error",				/*EIPSEC_MAX*/
+};
+
+const char *ipsec_strerror(void)
+{
+	if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX)
+		__ipsec_errcode = EIPSEC_MAX;
+
+	return ipsec_errlist[__ipsec_errcode];
+}
+
+void __ipsec_set_strerror(const char *str)
+{
+	__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+	ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
+
+	return;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,71 @@
+/* $Id: ipsec_strerror.h,v 1.1.1.1 2005/02/12 11:11:30 manu Exp $ */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _IPSEC_STRERROR_H
+#define _IPSEC_STRERROR_H
+
+extern int __ipsec_errcode;
+extern void __ipsec_set_strerror __P((const char *));
+
+#define EIPSEC_NO_ERROR		0	/*success*/
+#define EIPSEC_NOT_SUPPORTED	1	/*not supported*/
+#define EIPSEC_INVAL_ARGUMENT	2	/*invalid argument*/
+#define EIPSEC_INVAL_SADBMSG	3	/*invalid sadb message*/
+#define EIPSEC_INVAL_VERSION	4	/*invalid version*/
+#define EIPSEC_INVAL_POLICY	5	/*invalid security policy*/
+#define EIPSEC_INVAL_ADDRESS	6	/*invalid address specification*/
+#define EIPSEC_INVAL_PROTO	7	/*invalid ipsec protocol*/
+#define EIPSEC_INVAL_MODE	8	/*Invalid ipsec mode*/
+#define EIPSEC_INVAL_LEVEL	9	/*invalid ipsec level*/
+#define EIPSEC_INVAL_SATYPE	10	/*invalid SA type*/
+#define EIPSEC_INVAL_MSGTYPE	11	/*invalid message type*/
+#define EIPSEC_INVAL_EXTTYPE	12	/*invalid extension type*/
+#define EIPSEC_INVAL_ALGS	13	/*Invalid algorithm type*/
+#define EIPSEC_INVAL_KEYLEN	14	/*invalid key length*/
+#define EIPSEC_INVAL_FAMILY	15	/*invalid address family*/
+#define EIPSEC_INVAL_PREFIXLEN	16	/*SPI range violation*/
+#define EIPSEC_INVAL_DIR	17	/*Invalid direciton*/
+#define EIPSEC_INVAL_SPI	18	/*invalid prefixlen*/
+#define EIPSEC_NO_PROTO		19	/*no protocol specified*/
+#define EIPSEC_NO_ALGS		20	/*No algorithm specified*/
+#define EIPSEC_NO_BUFS		21	/*no buffers available*/
+#define EIPSEC_DO_GET_SUPP_LIST	22	/*must get supported algorithm first*/
+#define EIPSEC_PROTO_MISMATCH	23	/*protocol mismatch*/
+#define EIPSEC_FAMILY_MISMATCH	24	/*family mismatch*/
+#define EIPSEC_FEW_ARGUMENTS	25	/*Too few arguments*/
+#define EIPSEC_SYSTEM_ERROR	26	/*system error*/
+#define EIPSEC_INVAL_PRIORITY_OFFSET	27	/*priority offset out of range*/
+#define EIPSEC_INVAL_PRIORITY_BASE_OFFSET	28	/* priority base offset too
+                                                   large */
+#define EIPSEC_PRIORITY_NOT_COMPILED	29	/*no priority support in libipsec*/
+#define EIPSEC_MAX		30	/*unknown error*/
+
+#endif /* _IPSEC_STRERROR_H */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,817 @@
+/*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef _KERNEL
+#if defined(__FreeBSD__) && __FreeBSD__ >= 3
+#include "opt_inet.h"
+#include "opt_inet6.h"
+#include "opt_ipsec.h"
+#endif
+#ifdef __NetBSD__
+#include "opt_inet.h"
+#endif
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef _KERNEL
+#include <sys/systm.h>
+#include <sys/mbuf.h>
+#include <sys/queue.h>
+#endif
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+
+#ifndef _KERNEL
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#endif /* !_KERNEL */
+
+#include "config.h"
+#include "libpfkey.h"
+
+static void kdebug_sadb_prop __P((struct sadb_ext *));
+static void kdebug_sadb_identity __P((struct sadb_ext *));
+static void kdebug_sadb_supported __P((struct sadb_ext *));
+static void kdebug_sadb_lifetime __P((struct sadb_ext *));
+static void kdebug_sadb_sa __P((struct sadb_ext *));
+static void kdebug_sadb_address __P((struct sadb_ext *));
+static void kdebug_sadb_key __P((struct sadb_ext *));
+static void kdebug_sadb_x_sa2 __P((struct sadb_ext *));
+static void kdebug_sadb_x_policy __P((struct sadb_ext *ext));
+static void kdebug_sockaddr __P((struct sockaddr *addr));
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
+static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
+#endif
+
+#ifdef _KERNEL
+static void kdebug_secreplay __P((struct secreplay *));
+#endif
+
+#ifndef _KERNEL
+#define panic(param)	{ printf(param); exit(1); }
+#endif
+
+#include "libpfkey.h"
+/* NOTE: host byte order */
+
+/* %%%: about struct sadb_msg */
+void
+kdebug_sadb(base)
+	struct sadb_msg *base;
+{
+	struct sadb_ext *ext;
+	int tlen, extlen;
+
+	/* sanity check */
+	if (base == NULL)
+		panic("kdebug_sadb: NULL pointer was passed.\n");
+
+	printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
+	    base->sadb_msg_version, base->sadb_msg_type,
+	    base->sadb_msg_errno, base->sadb_msg_satype);
+	printf("  len=%u reserved=%u seq=%u pid=%u\n",
+	    base->sadb_msg_len, base->sadb_msg_reserved,
+	    base->sadb_msg_seq, base->sadb_msg_pid);
+
+	tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
+	ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
+
+	while (tlen > 0) {
+		printf("sadb_ext{ len=%u type=%u }\n",
+		    ext->sadb_ext_len, ext->sadb_ext_type);
+
+		if (ext->sadb_ext_len == 0) {
+			printf("kdebug_sadb: invalid ext_len=0 was passed.\n");
+			return;
+		}
+		if (ext->sadb_ext_len > tlen) {
+			printf("kdebug_sadb: ext_len exceeds end of buffer.\n");
+			return;
+		}
+
+		switch (ext->sadb_ext_type) {
+		case SADB_EXT_SA:
+			kdebug_sadb_sa(ext);
+			break;
+		case SADB_EXT_LIFETIME_CURRENT:
+		case SADB_EXT_LIFETIME_HARD:
+		case SADB_EXT_LIFETIME_SOFT:
+			kdebug_sadb_lifetime(ext);
+			break;
+		case SADB_EXT_ADDRESS_SRC:
+		case SADB_EXT_ADDRESS_DST:
+		case SADB_EXT_ADDRESS_PROXY:
+			kdebug_sadb_address(ext);
+			break;
+		case SADB_EXT_KEY_AUTH:
+		case SADB_EXT_KEY_ENCRYPT:
+			kdebug_sadb_key(ext);
+			break;
+		case SADB_EXT_IDENTITY_SRC:
+		case SADB_EXT_IDENTITY_DST:
+			kdebug_sadb_identity(ext);
+			break;
+		case SADB_EXT_SENSITIVITY:
+			break;
+		case SADB_EXT_PROPOSAL:
+			kdebug_sadb_prop(ext);
+			break;
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+			kdebug_sadb_supported(ext);
+			break;
+		case SADB_EXT_SPIRANGE:
+		case SADB_X_EXT_KMPRIVATE:
+			break;
+		case SADB_X_EXT_POLICY:
+			kdebug_sadb_x_policy(ext);
+			break;
+		case SADB_X_EXT_SA2:
+			kdebug_sadb_x_sa2(ext);
+			break;
+#ifdef SADB_X_EXT_NAT_T_TYPE
+		case SADB_X_EXT_NAT_T_TYPE:
+			kdebug_sadb_x_nat_t_type(ext);
+			break;
+		case SADB_X_EXT_NAT_T_SPORT:
+		case SADB_X_EXT_NAT_T_DPORT:
+			kdebug_sadb_x_nat_t_port(ext);
+			break;
+		case SADB_X_EXT_NAT_T_OA:
+			kdebug_sadb_address(ext);
+			break;
+#endif
+		default:
+			printf("kdebug_sadb: invalid ext_type %u was passed.\n",
+			    ext->sadb_ext_type);
+			return;
+		}
+
+		extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
+		tlen -= extlen;
+		ext = (struct sadb_ext *)((caddr_t)ext + extlen);
+	}
+
+	return;
+}
+
+static void
+kdebug_sadb_prop(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_prop *prop = (struct sadb_prop *)ext;
+	struct sadb_comb *comb;
+	int len;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_prop: NULL pointer was passed.\n");
+
+	len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop))
+		/ sizeof(*comb);
+	comb = (struct sadb_comb *)(prop + 1);
+	printf("sadb_prop{ replay=%u\n", prop->sadb_prop_replay);
+
+	while (len--) {
+		printf("sadb_comb{ auth=%u encrypt=%u "
+			"flags=0x%04x reserved=0x%08x\n",
+			comb->sadb_comb_auth, comb->sadb_comb_encrypt,
+			comb->sadb_comb_flags, comb->sadb_comb_reserved);
+
+		printf("  auth_minbits=%u auth_maxbits=%u "
+			"encrypt_minbits=%u encrypt_maxbits=%u\n",
+			comb->sadb_comb_auth_minbits,
+			comb->sadb_comb_auth_maxbits,
+			comb->sadb_comb_encrypt_minbits,
+			comb->sadb_comb_encrypt_maxbits);
+
+		printf("  soft_alloc=%u hard_alloc=%u "
+			"soft_bytes=%lu hard_bytes=%lu\n",
+			comb->sadb_comb_soft_allocations,
+			comb->sadb_comb_hard_allocations,
+			(unsigned long)comb->sadb_comb_soft_bytes,
+			(unsigned long)comb->sadb_comb_hard_bytes);
+
+		printf("  soft_alloc=%lu hard_alloc=%lu "
+			"soft_bytes=%lu hard_bytes=%lu }\n",
+			(unsigned long)comb->sadb_comb_soft_addtime,
+			(unsigned long)comb->sadb_comb_hard_addtime,
+			(unsigned long)comb->sadb_comb_soft_usetime,
+			(unsigned long)comb->sadb_comb_hard_usetime);
+		comb++;
+	}
+	printf("}\n");
+
+	return;
+}
+
+static void
+kdebug_sadb_identity(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_ident *id = (struct sadb_ident *)ext;
+	int len;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_identity: NULL pointer was passed.\n");
+
+	len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
+	printf("sadb_ident_%s{",
+	    id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst");
+	switch (id->sadb_ident_type) {
+	default:
+		printf(" type=%d id=%lu",
+			id->sadb_ident_type, (u_long)id->sadb_ident_id);
+		if (len) {
+#ifdef _KERNEL
+			ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
+#else
+			char *p, *ep;
+			printf("\n  str=\"");
+			p = (char *)(id + 1);
+			ep = p + len;
+			for (/*nothing*/; *p && p < ep; p++) {
+				if (isprint((int)*p))
+					printf("%c", *p & 0xff);
+				else
+					printf("\\%03o", *p & 0xff);
+			}
+#endif
+			printf("\"");
+		}
+		break;
+	}
+
+	printf(" }\n");
+
+	return;
+}
+
+static void
+kdebug_sadb_supported(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_supported *sup = (struct sadb_supported *)ext;
+	struct sadb_alg *alg;
+	int len;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_supported: NULL pointer was passed.\n");
+
+	len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup))
+		/ sizeof(*alg);
+	alg = (struct sadb_alg *)(sup + 1);
+	printf("sadb_sup{\n");
+	while (len--) {
+		printf("  { id=%d ivlen=%d min=%d max=%d }\n",
+			alg->sadb_alg_id, alg->sadb_alg_ivlen,
+			alg->sadb_alg_minbits, alg->sadb_alg_maxbits);
+		alg++;
+	}
+	printf("}\n");
+
+	return;
+}
+
+static void
+kdebug_sadb_lifetime(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_lifetime *lft = (struct sadb_lifetime *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		printf("kdebug_sadb_lifetime: NULL pointer was passed.\n");
+
+	printf("sadb_lifetime{ alloc=%u, bytes=%u\n",
+		lft->sadb_lifetime_allocations,
+		(u_int32_t)lft->sadb_lifetime_bytes);
+	printf("  addtime=%u, usetime=%u }\n",
+		(u_int32_t)lft->sadb_lifetime_addtime,
+		(u_int32_t)lft->sadb_lifetime_usetime);
+
+	return;
+}
+
+static void
+kdebug_sadb_sa(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_sa *sa = (struct sadb_sa *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_sa: NULL pointer was passed.\n");
+
+	printf("sadb_sa{ spi=%u replay=%u state=%u\n",
+	    (u_int32_t)ntohl(sa->sadb_sa_spi), sa->sadb_sa_replay,
+	    sa->sadb_sa_state);
+	printf("  auth=%u encrypt=%u flags=0x%08x }\n",
+	    sa->sadb_sa_auth, sa->sadb_sa_encrypt, sa->sadb_sa_flags);
+
+	return;
+}
+
+static void
+kdebug_sadb_address(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_address *addr = (struct sadb_address *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_address: NULL pointer was passed.\n");
+
+	printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n",
+	    addr->sadb_address_proto, addr->sadb_address_prefixlen,
+	    ((u_char *)&addr->sadb_address_reserved)[0],
+	    ((u_char *)&addr->sadb_address_reserved)[1]);
+
+	kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr)));
+
+	return;
+}
+
+static void
+kdebug_sadb_key(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_key *key = (struct sadb_key *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_key: NULL pointer was passed.\n");
+
+	printf("sadb_key{ bits=%u reserved=%u\n",
+	    key->sadb_key_bits, key->sadb_key_reserved);
+	printf("  key=");
+
+	/* sanity check 2 */
+	if ((key->sadb_key_bits >> 3) >
+		(PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) {
+		printf("kdebug_sadb_key: key length mismatch, bit:%d len:%ld.\n",
+			key->sadb_key_bits >> 3,
+			(long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
+	}
+
+	ipsec_hexdump((caddr_t)key + sizeof(struct sadb_key),
+	              key->sadb_key_bits >> 3);
+	printf(" }\n");
+	return;
+}
+
+static void
+kdebug_sadb_x_sa2(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_x_sa2 *sa2 = (struct sadb_x_sa2 *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_x_sa2: NULL pointer was passed.\n");
+
+	printf("sadb_x_sa2{ mode=%u reqid=%u\n",
+	    sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reqid);
+	printf("  reserved1=%u reserved2=%u sequence=%u }\n",
+	    sa2->sadb_x_sa2_reserved1, sa2->sadb_x_sa2_reserved2,
+	    sa2->sadb_x_sa2_sequence);
+
+	return;
+}
+
+void
+kdebug_sadb_x_policy(ext)
+	struct sadb_ext *ext;
+{
+	struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
+	struct sockaddr *addr;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
+
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+	printf("sadb_x_policy{ type=%u dir=%u id=%x priority=%u }\n",
+#else
+	printf("sadb_x_policy{ type=%u dir=%u id=%x }\n",
+#endif
+		xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+		xpl->sadb_x_policy_id, xpl->sadb_x_policy_priority);
+#else
+		xpl->sadb_x_policy_id);
+#endif
+
+	if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
+		int tlen;
+		struct sadb_x_ipsecrequest *xisr;
+
+		tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
+		xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
+
+		while (tlen > 0) {
+			printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n",
+				xisr->sadb_x_ipsecrequest_len,
+				xisr->sadb_x_ipsecrequest_proto,
+				xisr->sadb_x_ipsecrequest_mode,
+				xisr->sadb_x_ipsecrequest_level,
+				xisr->sadb_x_ipsecrequest_reqid);
+
+			if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
+				addr = (struct sockaddr *)(xisr + 1);
+				kdebug_sockaddr(addr);
+				addr = (struct sockaddr *)((caddr_t)addr
+							+ sysdep_sa_len(addr));
+				kdebug_sockaddr(addr);
+			}
+
+			printf(" }\n");
+
+			/* prevent infinite loop */
+			if (xisr->sadb_x_ipsecrequest_len <= 0) {
+				printf("kdebug_sadb_x_policy: wrong policy struct.\n");
+				return;
+			}
+			/* prevent overflow */
+			if (xisr->sadb_x_ipsecrequest_len > tlen) {
+				printf("invalid ipsec policy length\n");
+				return;
+			}
+
+			tlen -= xisr->sadb_x_ipsecrequest_len;
+
+			xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+			                + xisr->sadb_x_ipsecrequest_len);
+		}
+
+		if (tlen != 0)
+			panic("kdebug_sadb_x_policy: wrong policy struct.\n");
+	}
+
+	return;
+}
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+static void
+kdebug_sadb_x_nat_t_type(struct sadb_ext *ext)
+{
+	struct sadb_x_nat_t_type *ntt = (struct sadb_x_nat_t_type *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_x_nat_t_type: NULL pointer was passed.\n");
+
+	printf("sadb_x_nat_t_type{ type=%u }\n", ntt->sadb_x_nat_t_type_type);
+
+	return;
+}
+
+static void
+kdebug_sadb_x_nat_t_port(struct sadb_ext *ext)
+{
+	struct sadb_x_nat_t_port *ntp = (struct sadb_x_nat_t_port *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_x_nat_t_port: NULL pointer was passed.\n");
+
+	printf("sadb_x_nat_t_port{ port=%u }\n", ntohs(ntp->sadb_x_nat_t_port_port));
+
+	return;
+}
+#endif
+
+#ifdef _KERNEL
+/* %%%: about SPD and SAD */
+void
+kdebug_secpolicy(sp)
+	struct secpolicy *sp;
+{
+	/* sanity check */
+	if (sp == NULL)
+		panic("kdebug_secpolicy: NULL pointer was passed.\n");
+
+	printf("secpolicy{ refcnt=%u state=%u policy=%u\n",
+		sp->refcnt, sp->state, sp->policy);
+
+	kdebug_secpolicyindex(&sp->spidx);
+
+	switch (sp->policy) {
+	case IPSEC_POLICY_DISCARD:
+		printf("  type=discard }\n");
+		break;
+	case IPSEC_POLICY_NONE:
+		printf("  type=none }\n");
+		break;
+	case IPSEC_POLICY_IPSEC:
+	    {
+		struct ipsecrequest *isr;
+		for (isr = sp->req; isr != NULL; isr = isr->next) {
+
+			printf("  level=%u\n", isr->level);
+			kdebug_secasindex(&isr->saidx);
+
+			if (isr->sav != NULL)
+				kdebug_secasv(isr->sav);
+		}
+		printf("  }\n");
+	    }
+		break;
+	case IPSEC_POLICY_BYPASS:
+		printf("  type=bypass }\n");
+		break;
+	case IPSEC_POLICY_ENTRUST:
+		printf("  type=entrust }\n");
+		break;
+	default:
+		printf("kdebug_secpolicy: Invalid policy found. %d\n",
+			sp->policy);
+		break;
+	}
+
+	return;
+}
+
+void
+kdebug_secpolicyindex(spidx)
+	struct secpolicyindex *spidx;
+{
+	/* sanity check */
+	if (spidx == NULL)
+		panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
+
+	printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
+		spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
+
+	ipsec_hexdump((caddr_t)&spidx->src,
+		sysdep_sa_len((struct sockaddr *)&spidx->src));
+	printf("\n");
+	ipsec_hexdump((caddr_t)&spidx->dst,
+		sysdep_sa_len((struct sockaddr *)&spidx->dst));
+	printf("}\n");
+
+	return;
+}
+
+void
+kdebug_secasindex(saidx)
+	struct secasindex *saidx;
+{
+	/* sanity check */
+	if (saidx == NULL)
+		panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
+
+	printf("secasindex{ mode=%u proto=%u\n",
+		saidx->mode, saidx->proto);
+
+	ipsec_hexdump((caddr_t)&saidx->src,
+		sysdep_sa_len((struct sockaddr *)&saidx->src));
+	printf("\n");
+	ipsec_hexdump((caddr_t)&saidx->dst,
+		sysdep_sa_len((struct sockaddr *)&saidx->dst));
+	printf("\n");
+
+	return;
+}
+
+void
+kdebug_secasv(sav)
+	struct secasvar *sav;
+{
+	/* sanity check */
+	if (sav == NULL)
+		panic("kdebug_secasv: NULL pointer was passed.\n");
+
+	printf("secas{");
+	kdebug_secasindex(&sav->sah->saidx);
+
+	printf("  refcnt=%u state=%u auth=%u enc=%u\n",
+	    sav->refcnt, sav->state, sav->alg_auth, sav->alg_enc);
+	printf("  spi=%u flags=%u\n",
+	    (u_int32_t)ntohl(sav->spi), sav->flags);
+
+	if (sav->key_auth != NULL)
+		kdebug_sadb_key((struct sadb_ext *)sav->key_auth);
+	if (sav->key_enc != NULL)
+		kdebug_sadb_key((struct sadb_ext *)sav->key_enc);
+	if (sav->iv != NULL) {
+		printf("  iv=");
+		ipsec_hexdump(sav->iv, sav->ivlen ? sav->ivlen : 8);
+		printf("\n");
+	}
+
+	if (sav->replay != NULL)
+		kdebug_secreplay(sav->replay);
+	if (sav->lft_c != NULL)
+		kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_c);
+	if (sav->lft_h != NULL)
+		kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_h);
+	if (sav->lft_s != NULL)
+		kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_s);
+
+#if notyet
+	/* XXX: misc[123] ? */
+#endif
+
+	return;
+}
+
+static void
+kdebug_secreplay(rpl)
+	struct secreplay *rpl;
+{
+	int len, l;
+
+	/* sanity check */
+	if (rpl == NULL)
+		panic("kdebug_secreplay: NULL pointer was passed.\n");
+
+	printf(" secreplay{ count=%u wsize=%u seq=%u lastseq=%u",
+	    rpl->count, rpl->wsize, rpl->seq, rpl->lastseq);
+
+	if (rpl->bitmap == NULL) {
+		printf(" }\n");
+		return;
+	}
+
+	printf("\n   bitmap { ");
+
+	for (len = 0; len < rpl->wsize; len++) {
+		for (l = 7; l >= 0; l--)
+			printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
+	}
+	printf(" }\n");
+
+	return;
+}
+
+void
+kdebug_mbufhdr(m)
+	struct mbuf *m;
+{
+	/* sanity check */
+	if (m == NULL)
+		return;
+
+	printf("mbuf(%p){ m_next:%p m_nextpkt:%p m_data:%p "
+	       "m_len:%d m_type:0x%02x m_flags:0x%02x }\n",
+		m, m->m_next, m->m_nextpkt, m->m_data,
+		m->m_len, m->m_type, m->m_flags);
+
+	if (m->m_flags & M_PKTHDR) {
+		printf("  m_pkthdr{ len:%d rcvif:%p }\n",
+		    m->m_pkthdr.len, m->m_pkthdr.rcvif);
+	}
+
+#ifdef __FreeBSD__
+	if (m->m_flags & M_EXT) {
+		printf("  m_ext{ ext_buf:%p ext_free:%p "
+		       "ext_size:%u ext_ref:%p }\n",
+			m->m_ext.ext_buf, m->m_ext.ext_free,
+			m->m_ext.ext_size, m->m_ext.ext_ref);
+	}
+#endif
+
+	return;
+}
+
+void
+kdebug_mbuf(m0)
+	struct mbuf *m0;
+{
+	struct mbuf *m = m0;
+	int i, j;
+
+	for (j = 0; m; m = m->m_next) {
+		kdebug_mbufhdr(m);
+		printf("  m_data:\n");
+		for (i = 0; i < m->m_len; i++) {
+			if (i && i % 32 == 0)
+				printf("\n");
+			if (i % 4 == 0)
+				printf(" ");
+			printf("%02x", mtod(m, u_char *)[i]);
+			j++;
+		}
+		printf("\n");
+	}
+
+	return;
+}
+#endif /* _KERNEL */
+
+static void
+kdebug_sockaddr(addr)
+	struct sockaddr *addr;
+{
+	struct sockaddr_in *sin4;
+#ifdef INET6
+	struct sockaddr_in6 *sin6;
+#endif
+
+	/* sanity check */
+	if (addr == NULL)
+		panic("kdebug_sockaddr: NULL pointer was passed.\n");
+
+	/* NOTE: We deal with port number as host byte order. */
+	printf("sockaddr{ len=%u family=%u", sysdep_sa_len(addr), addr->sa_family);
+
+	switch (addr->sa_family) {
+	case AF_INET:
+		sin4 = (struct sockaddr_in *)addr;
+		printf(" port=%u\n", ntohs(sin4->sin_port));
+		ipsec_hexdump((caddr_t)&sin4->sin_addr, sizeof(sin4->sin_addr));
+		break;
+#ifdef INET6
+	case AF_INET6:
+		sin6 = (struct sockaddr_in6 *)addr;
+		printf(" port=%u\n", ntohs(sin6->sin6_port));
+		printf("  flowinfo=0x%08x, scope_id=0x%08x\n",
+		    sin6->sin6_flowinfo, sin6->sin6_scope_id);
+		ipsec_hexdump((caddr_t)&sin6->sin6_addr,
+		    sizeof(sin6->sin6_addr));
+		break;
+#endif
+	}
+
+	printf("  }\n");
+
+	return;
+}
+
+void
+ipsec_bindump(buf, len)
+	caddr_t buf;
+	int len;
+{
+	int i;
+
+	for (i = 0; i < len; i++)
+		printf("%c", (unsigned char)buf[i]);
+
+	return;
+}
+
+
+void
+ipsec_hexdump(buf, len)
+	caddr_t buf;
+	int len;
+{
+	int i;
+
+	for (i = 0; i < len; i++) {
+		if (i != 0 && i % 32 == 0) printf("\n");
+		if (i % 4 == 0) printf(" ");
+		printf("%02x", (unsigned char)buf[i]);
+	}
+#if 0
+	if (i % 32 != 0) printf("\n");
+#endif
+
+	return;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,160 @@
+/* $Id: libpfkey.h,v 1.1.1.1 2005/02/12 11:11:31 manu Exp $ */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _LIBPFKEY_H
+#define _LIBPFKEY_H
+
+#ifndef KAME_LIBPFKEY_H
+#define KAME_LIBPFKEY_H
+
+#define PRIORITY_LOW        0xC0000000
+#define PRIORITY_DEFAULT    0x80000000
+#define PRIORITY_HIGH       0x40000000
+
+#define PRIORITY_OFFSET_POSITIVE_MAX	0x3fffffff
+#define PRIORITY_OFFSET_NEGATIVE_MAX	0x40000000
+
+struct sadb_msg;
+extern void pfkey_sadump __P((struct sadb_msg *));
+extern void pfkey_spdump __P((struct sadb_msg *));
+
+struct sockaddr;
+struct sadb_alg;
+
+/* IPsec Library Routines */
+
+int ipsec_check_keylen __P((u_int, u_int, u_int));
+int ipsec_check_keylen2 __P((u_int, u_int, u_int));
+int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
+char *ipsec_dump_policy __P((caddr_t policy, char *delimiter));
+void ipsec_hexdump __P((caddr_t buf, int len));
+int  ipsec_get_policylen __P((caddr_t policy));
+caddr_t ipsec_set_policy __P((char *msg, int msglen));
+const char *ipsec_strerror __P((void));
+void kdebug_sadb __P((struct sadb_msg *base));
+
+
+/* PFKey Routines */
+
+u_int pfkey_set_softrate __P((u_int, u_int));
+u_int pfkey_get_softrate __P((u_int));
+int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
+int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int,
+	caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
+	u_int64_t, u_int64_t, u_int32_t));
+int pfkey_send_update_nat __P((int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int,
+	caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
+	u_int64_t, u_int64_t, u_int32_t,
+	u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
+int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int,
+	caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
+	u_int64_t, u_int64_t, u_int32_t));
+int pfkey_send_add_nat __P((int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int,
+	caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
+	u_int64_t, u_int64_t, u_int32_t,
+	u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
+int pfkey_send_delete __P((int, u_int, u_int,
+	struct sockaddr *, struct sockaddr *, u_int32_t));
+int pfkey_send_delete_all __P((int, u_int, u_int,
+	struct sockaddr *, struct sockaddr *));
+int pfkey_send_get __P((int, u_int, u_int,
+	struct sockaddr *, struct sockaddr *, u_int32_t));
+int pfkey_send_register __P((int, u_int));
+int pfkey_recv_register __P((int));
+int pfkey_set_supported __P((struct sadb_msg *, int));
+int pfkey_send_flush __P((int, u_int));
+int pfkey_send_dump __P((int, u_int));
+int pfkey_send_promisc_toggle __P((int, int));
+int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+	caddr_t, int, u_int32_t));
+int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+	caddr_t, int, u_int32_t));
+int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spddelete2 __P((int, u_int32_t));
+int pfkey_send_spdget __P((int, u_int32_t));
+int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdflush __P((int));
+int pfkey_send_spddump __P((int));
+
+int pfkey_open __P((void));
+void pfkey_close __P((int));
+struct sadb_msg *pfkey_recv __P((int));
+int pfkey_send __P((int, struct sadb_msg *, int));
+int pfkey_align __P((struct sadb_msg *, caddr_t *));
+int pfkey_check __P((caddr_t *));
+
+#ifndef __SYSDEP_SA_LEN__
+#define __SYSDEP_SA_LEN__
+#include <netinet/in.h>
+
+#ifndef IPPROTO_IPV4
+#define IPPROTO_IPV4 IPPROTO_IPIP
+#endif
+
+#ifndef IPPROTO_IPCOMP
+#define IPPROTO_IPCOMP IPPROTO_COMP
+#endif
+
+static inline u_int8_t
+sysdep_sa_len (const struct sockaddr *sa)
+{
+#ifdef __linux__
+  switch (sa->sa_family)
+    {
+    case AF_INET:
+      return sizeof (struct sockaddr_in);
+    case AF_INET6:
+      return sizeof (struct sockaddr_in6);
+    }
+  // log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family);
+  return sizeof (struct sockaddr_in);
+#else
+  return sa->sa_len;
+#endif
+}
+#endif
+
+#endif /* KAME_LIBPFKEY_H */
+
+#endif /* _LIBPFKEY_H */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,2371 @@
+/*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <net/pfkeyv2.h>
+#include <netinet/in.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <stdio.h>
+
+#include "ipsec_strerror.h"
+#include "libpfkey.h"
+
+#define CALLOC(size, cast) (cast)calloc(1, (size))
+
+static int findsupportedmap __P((int));
+static int setsupportedmap __P((struct sadb_supported *));
+static struct sadb_alg *findsupportedalg __P((u_int, u_int));
+static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
+	u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
+	u_int32_t, u_int32_t, u_int32_t,
+	u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
+static int pfkey_send_x2 __P((int, u_int, u_int, u_int,
+	struct sockaddr *, struct sockaddr *, u_int32_t));
+static int pfkey_send_x3 __P((int, u_int, u_int));
+static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+	char *, int, u_int32_t));
+static int pfkey_send_x5 __P((int, u_int, u_int32_t));
+
+static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int,
+	u_int, u_int32_t, pid_t));
+static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int,
+	u_int, u_int, u_int32_t));
+static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int,
+	struct sockaddr *, u_int, u_int));
+static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int));
+static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t,
+	u_int32_t, u_int32_t, u_int32_t));
+static caddr_t pfkey_setsadbxsa2 __P((caddr_t, caddr_t, u_int32_t, u_int32_t));
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+static caddr_t pfkey_set_natt_type __P((caddr_t, caddr_t, u_int, u_int8_t));
+static caddr_t pfkey_set_natt_port __P((caddr_t, caddr_t, u_int, u_int16_t));
+#endif
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static caddr_t pfkey_set_natt_frag __P((caddr_t, caddr_t, u_int, u_int16_t));
+#endif
+
+/*
+ * make and search supported algorithm structure.
+ */
+static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
+
+static int supported_map[] = {
+	SADB_SATYPE_AH,
+	SADB_SATYPE_ESP,
+	SADB_X_SATYPE_IPCOMP,
+};
+
+static int
+findsupportedmap(satype)
+	int satype;
+{
+	int i;
+
+	for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
+		if (supported_map[i] == satype)
+			return i;
+	return -1;
+}
+
+static struct sadb_alg *
+findsupportedalg(satype, alg_id)
+	u_int satype, alg_id;
+{
+	int algno;
+	int tlen;
+	caddr_t p;
+
+	/* validity check */
+	algno = findsupportedmap(satype);
+	if (algno == -1) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return NULL;
+	}
+	if (ipsec_supported[algno] == NULL) {
+		__ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
+		return NULL;
+	}
+
+	tlen = ipsec_supported[algno]->sadb_supported_len
+		- sizeof(struct sadb_supported);
+	p = (caddr_t)(ipsec_supported[algno] + 1);
+	while (tlen > 0) {
+		if (tlen < sizeof(struct sadb_alg)) {
+			/* invalid format */
+			break;
+		}
+		if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
+			return (struct sadb_alg *)p;
+
+		tlen -= sizeof(struct sadb_alg);
+		p += sizeof(struct sadb_alg);
+	}
+
+	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+	return NULL;
+}
+
+static int
+setsupportedmap(sup)
+	struct sadb_supported *sup;
+{
+	struct sadb_supported **ipsup;
+
+	switch (sup->sadb_supported_exttype) {
+	case SADB_EXT_SUPPORTED_AUTH:
+		ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	if (*ipsup)
+		free(*ipsup);
+
+	*ipsup = malloc(sup->sadb_supported_len);
+	if (!*ipsup) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	memcpy(*ipsup, sup, sup->sadb_supported_len);
+
+	return 0;
+}
+
+/*
+ * check key length against algorithm specified.
+ * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
+ * augument, and only calls to ipsec_check_keylen2();
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+int
+ipsec_check_keylen(supported, alg_id, keylen)
+	u_int supported;
+	u_int alg_id;
+	u_int keylen;
+{
+	int satype;
+
+	/* validity check */
+	switch (supported) {
+	case SADB_EXT_SUPPORTED_AUTH:
+		satype = SADB_SATYPE_AH;
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		satype = SADB_SATYPE_ESP;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	return ipsec_check_keylen2(satype, alg_id, keylen);
+}
+
+/*
+ * check key length against algorithm specified.
+ * satype is one of satype defined at pfkeyv2.h.
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+int
+ipsec_check_keylen2(satype, alg_id, keylen)
+	u_int satype;
+	u_int alg_id;
+	u_int keylen;
+{
+	struct sadb_alg *alg;
+
+	alg = findsupportedalg(satype, alg_id);
+	if (!alg)
+		return -1;
+
+	if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
+		fprintf(stderr, "%d %d %d\n", keylen, alg->sadb_alg_minbits,
+			alg->sadb_alg_maxbits);
+		__ipsec_errcode = EIPSEC_INVAL_KEYLEN;
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * get max/min key length against algorithm specified.
+ * satype is one of satype defined at pfkeyv2.h.
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+int
+ipsec_get_keylen(supported, alg_id, alg0)
+	u_int supported, alg_id;
+	struct sadb_alg *alg0;
+{
+	struct sadb_alg *alg;
+	u_int satype;
+
+	/* validity check */
+	if (!alg0) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	switch (supported) {
+	case SADB_EXT_SUPPORTED_AUTH:
+		satype = SADB_SATYPE_AH;
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		satype = SADB_SATYPE_ESP;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	alg = findsupportedalg(satype, alg_id);
+	if (!alg)
+		return -1;
+
+	memcpy(alg0, alg, sizeof(*alg0));
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * set the rate for SOFT lifetime against HARD one.
+ * If rate is more than 100 or equal to zero, then set to 100.
+ */
+static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
+
+u_int
+pfkey_set_softrate(type, rate)
+	u_int type, rate;
+{
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	if (rate > 100 || rate == 0)
+		rate = 100;
+
+	switch (type) {
+	case SADB_X_LIFETIME_ALLOCATIONS:
+		soft_lifetime_allocations_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_BYTES:
+		soft_lifetime_bytes_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_ADDTIME:
+		soft_lifetime_addtime_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_USETIME:
+		soft_lifetime_usetime_rate = rate;
+		return 0;
+	}
+
+	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+	return 1;
+}
+
+/*
+ * get current rate for SOFT lifetime against HARD one.
+ * ATTENTION: ~0 is returned if invalid type was passed.
+ */
+u_int
+pfkey_get_softrate(type)
+	u_int type;
+{
+	switch (type) {
+	case SADB_X_LIFETIME_ALLOCATIONS:
+		return soft_lifetime_allocations_rate;
+	case SADB_X_LIFETIME_BYTES:
+		return soft_lifetime_bytes_rate;
+	case SADB_X_LIFETIME_ADDTIME:
+		return soft_lifetime_addtime_rate;
+	case SADB_X_LIFETIME_USETIME:
+		return soft_lifetime_usetime_rate;
+	}
+
+	return ~0;
+}
+
+/*
+ * sending SADB_GETSPI message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t min, max, reqid, seq;
+{
+	struct sadb_msg *newmsg;
+	caddr_t ep;
+	int len;
+	int need_spirange = 0;
+	caddr_t p;
+	int plen;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	if (min > max || (min > 0 && min <= 255)) {
+		__ipsec_errcode = EIPSEC_INVAL_SPI;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	/* create new sadb_msg to send. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_x_sa2)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(src))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
+
+	if (min > 255 && max < ~0) {
+		need_spirange++;
+		len += sizeof(struct sadb_spirange);
+	}
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
+	    len, satype, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* set sadb_address for source */
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* set sadb_address for destination */
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* proccessing spi range */
+	if (need_spirange) {
+		struct sadb_spirange spirange;
+
+		if (p + sizeof(spirange) > ep) {
+			free(newmsg);
+			return -1;
+		}
+
+		memset(&spirange, 0, sizeof(spirange));
+		spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
+		spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+		spirange.sadb_spirange_min = min;
+		spirange.sadb_spirange_max = max;
+
+		memcpy(p, &spirange, sizeof(spirange));
+
+		p += sizeof(spirange);
+	}
+	if (p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_UPDATE message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
+			reqid, wsize,
+			keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq,
+			0, 0, 0, NULL, 0)) < 0)
+		return -1;
+
+	return len;
+}
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+int
+pfkey_send_update_nat(so, satype, mode, src, dst, spi, reqid, wsize,
+		      keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		      l_alloc, l_bytes, l_addtime, l_usetime, seq,
+		      l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
+		      l_natt_frag)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+	u_int8_t l_natt_type;
+	u_int16_t l_natt_sport, l_natt_dport;
+	struct sockaddr *l_natt_oa;
+	u_int16_t l_natt_frag;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
+			reqid, wsize,
+			keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq,
+			l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
+			l_natt_frag)) < 0)
+		return -1;
+
+	return len;
+}
+#endif
+
+/*
+ * sending SADB_ADD message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
+			reqid, wsize,
+			keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq,
+			0, 0, 0, NULL, 0)) < 0)
+		return -1;
+
+	return len;
+}
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+int
+pfkey_send_add_nat(so, satype, mode, src, dst, spi, reqid, wsize,
+		   keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		   l_alloc, l_bytes, l_addtime, l_usetime, seq,
+		   l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
+		   l_natt_frag)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+	u_int8_t l_natt_type;
+	u_int16_t l_natt_sport, l_natt_dport;
+	struct sockaddr *l_natt_oa;
+	u_int16_t l_natt_frag;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
+			reqid, wsize,
+			keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq,
+			l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
+			l_natt_frag)) < 0)
+		return -1;
+
+	return len;
+}
+#endif
+
+/*
+ * sending SADB_DELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_delete(so, satype, mode, src, dst, spi)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	int len;
+	if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DELETE without spi to the kernel.  This is
+ * the "delete all" request (an extension also present in
+ * Solaris).
+ *
+ * OUT:
+ *	positive: success and return length sent
+ *	-1	: error occured, and set errno
+ */
+int
+pfkey_send_delete_all(so, satype, mode, src, dst)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(src))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
+	    getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_GET message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_get(so, satype, mode, src, dst, spi)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	int len;
+	if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_REGISTER message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_register(so, satype)
+	int so;
+	u_int satype;
+{
+	int len, algno;
+
+	if (satype == PF_UNSPEC) {
+		for (algno = 0;
+		     algno < sizeof(supported_map)/sizeof(supported_map[0]);
+		     algno++) {
+			if (ipsec_supported[algno]) {
+				free(ipsec_supported[algno]);
+				ipsec_supported[algno] = NULL;
+			}
+		}
+	} else {
+		algno = findsupportedmap(satype);
+		if (algno == -1) {
+			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+			return -1;
+		}
+
+		if (ipsec_supported[algno]) {
+			free(ipsec_supported[algno]);
+			ipsec_supported[algno] = NULL;
+		}
+	}
+
+	if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * receiving SADB_REGISTER message from the kernel, and copy buffer for
+ * sadb_supported returned into ipsec_supported.
+ * OUT:
+ *	 0: success and return length sent.
+ *	-1: error occured, and set errno.
+ */
+int
+pfkey_recv_register(so)
+	int so;
+{
+	pid_t pid = getpid();
+	struct sadb_msg *newmsg;
+	int error = -1;
+
+	/* receive message */
+	for (;;) {
+		if ((newmsg = pfkey_recv(so)) == NULL)
+			return -1;
+		if (newmsg->sadb_msg_type == SADB_REGISTER &&
+		    newmsg->sadb_msg_pid == pid)
+			break;
+		free(newmsg);
+	}
+
+	/* check and fix */
+	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
+
+	error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
+	free(newmsg);
+
+	if (error == 0)
+		__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	return error;
+}
+
+/*
+ * receiving SADB_REGISTER message from the kernel, and copy buffer for
+ * sadb_supported returned into ipsec_supported.
+ * NOTE: sadb_msg_len must be host order.
+ * IN:
+ *	tlen: msg length, it's to makeing sure.
+ * OUT:
+ *	 0: success and return length sent.
+ *	-1: error occured, and set errno.
+ */
+int
+pfkey_set_supported(msg, tlen)
+	struct sadb_msg *msg;
+	int tlen;
+{
+	struct sadb_supported *sup;
+	caddr_t p;
+	caddr_t ep;
+
+	/* validity */
+	if (msg->sadb_msg_len != tlen) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	p = (caddr_t)msg;
+	ep = p + tlen;
+
+	p += sizeof(struct sadb_msg);
+
+	while (p < ep) {
+		sup = (struct sadb_supported *)p;
+		if (ep < p + sizeof(*sup) ||
+		    PFKEY_EXTLEN(sup) < sizeof(*sup) ||
+		    ep < p + sup->sadb_supported_len) {
+			/* invalid format */
+			break;
+		}
+
+		switch (sup->sadb_supported_exttype) {
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+
+		/* fixed length */
+		sup->sadb_supported_len = PFKEY_EXTLEN(sup);
+
+		/* set supported map */
+		if (setsupportedmap(sup) != 0)
+			return -1;
+
+		p += sup->sadb_supported_len;
+	}
+
+	if (p != ep) {
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	return 0;
+}
+
+/*
+ * sending SADB_FLUSH message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_flush(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DUMP message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_dump(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_PROMISC message to the kernel.
+ * NOTE that this function handles promisc mode toggle only.
+ * IN:
+ *	flag:	set promisc off if zero, set promisc on if non-zero.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ *	0     : error occured, and set errno.
+ *	others: a pointer to new allocated buffer in which supported
+ *	        algorithms is.
+ */
+int
+pfkey_send_promisc_toggle(so, flag)
+	int so;
+	int flag;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDADD message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDADD message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
+		policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	u_int64_t ltime, vtime;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
+				src, prefs, dst, prefd, proto,
+				ltime, vtime,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDUPDATE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDUPDATE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
+		policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	u_int64_t ltime, vtime;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
+				src, prefs, dst, prefd, proto,
+				ltime, vtime,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDDELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if (policylen != sizeof(struct sadb_x_policy)) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDDELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddelete2(so, spid)
+	int so;
+	u_int32_t spid;
+{
+	int len;
+
+	if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDGET message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdget(so, spid)
+	int so;
+	u_int32_t spid;
+{
+	int len;
+
+	if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDSETIDX message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if (policylen != sizeof(struct sadb_x_policy)) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_SPDFLUSH message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdflush(so)
+	int so;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_SPDDUMP message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddump(so)
+	int so;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
+		return -1;
+
+	return len;
+}
+
+/* sending SADB_ADD or SADB_UPDATE message to the kernel */
+static int
+pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq,
+	        l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa, 
+		l_natt_frag)
+	int so;
+	u_int type, satype, mode;
+	struct sockaddr *src, *dst, *l_natt_oa;
+	u_int32_t spi, reqid;
+	u_int wsize;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
+	u_int16_t l_natt_sport, l_natt_dport;
+	u_int8_t l_natt_type;
+	u_int16_t l_natt_frag;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	switch (satype) {
+	case SADB_SATYPE_ESP:
+		if (e_type == SADB_EALG_NONE) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_AH:
+		if (e_type != SADB_EALG_NONE) {
+			__ipsec_errcode = EIPSEC_INVAL_ALGS;
+			return -1;
+		}
+		if (a_type == SADB_AALG_NONE) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	case SADB_X_SATYPE_IPCOMP:
+		if (e_type == SADB_X_CALG_NONE) {
+			__ipsec_errcode = EIPSEC_INVAL_ALGS;
+			return -1;
+		}
+		if (a_type != SADB_AALG_NONE) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_sa)
+		+ sizeof(struct sadb_x_sa2)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(src))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(dst))
+		+ sizeof(struct sadb_lifetime)
+		+ sizeof(struct sadb_lifetime);
+
+	if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP)
+		len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
+	if (a_type != SADB_AALG_NONE)
+		len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	/* add nat-t packets */
+	if (l_natt_type) {
+		if (satype != SADB_SATYPE_ESP) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+
+		len += sizeof(struct sadb_x_nat_t_type);
+		len += sizeof(struct sadb_x_nat_t_port);
+		len += sizeof(struct sadb_x_nat_t_port);
+		if (l_natt_oa)
+			len += sizeof(struct sadb_address) +
+			  PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa));
+#ifdef SADB_X_EXT_NAT_T_FRAG
+		if (l_natt_frag)
+			len += sizeof(struct sadb_x_nat_t_frag);
+#endif
+	}
+#endif
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	                     satype, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP) {
+		p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
+		                   keymat, e_keylen);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+	}
+	if (a_type != SADB_AALG_NONE) {
+		p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
+		                   keymat + e_keylen, a_keylen);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+	}
+
+	/* set sadb_lifetime for destination */
+	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
+			l_alloc, l_bytes, l_addtime, l_usetime);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
+			l_alloc, l_bytes, l_addtime, l_usetime);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	/* Add nat-t messages */
+	if (l_natt_type) {
+		p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, l_natt_type);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+
+		p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT,
+					l_natt_sport);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+
+		p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT,
+					l_natt_dport);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+
+		if (l_natt_oa) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
+					      l_natt_oa,
+					      PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa)),
+					      IPSEC_ULPROTO_ANY);
+			if (!p) {
+				free(newmsg);
+				return -1;
+			}
+		}
+
+		if (l_natt_frag) {
+#ifdef SADB_X_EXT_NAT_T_FRAG
+			p = pfkey_set_natt_frag(p, ep, SADB_X_EXT_NAT_T_FRAG,
+					l_natt_frag);
+			if (!p) {
+				free(newmsg);
+				return -1;
+			}
+#endif
+		}
+	}
+#endif
+
+	if (p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_DELETE or SADB_GET message to the kernel */
+static int
+pfkey_send_x2(so, type, satype, mode, src, dst, spi)
+	int so;
+	u_int type, satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_sa)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(src))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
+	    getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
+ * to the kernel
+ */
+static int
+pfkey_send_x3(so, type, satype)
+	int so;
+	u_int type, satype;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	caddr_t ep;
+
+	/* validity check */
+	switch (type) {
+	case SADB_X_PROMISC:
+		if (satype != 0 && satype != 1) {
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	default:
+		switch (satype) {
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_AH:
+		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_IPCOMP:
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+	}
+
+	/* create new sadb_msg to send. */
+	len = sizeof(struct sadb_msg);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
+	    getpid());
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_X_SPDADD message to the kernel */
+static int
+pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
+		ltime, vtime, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int type, prefs, prefd, proto;
+	u_int64_t ltime, vtime;
+	char *policy;
+	int policylen;
+	u_int32_t seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+	if (prefs > plen || prefd > plen) {
+		__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(src))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(sysdep_sa_len(src))
+		+ sizeof(struct sadb_lifetime)
+		+ policylen;
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	    SADB_SATYPE_UNSPEC, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
+			0, 0, ltime, vtime);
+	if (!p || p + policylen != ep) {
+		free(newmsg);
+		return -1;
+	}
+	memcpy(p, policy, policylen);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
+static int
+pfkey_send_x5(so, type, spid)
+	int so;
+	u_int type;
+	u_int32_t spid;
+{
+	struct sadb_msg *newmsg;
+	struct sadb_x_policy xpl;
+	int len;
+	caddr_t p;
+	caddr_t ep;
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(xpl);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	    SADB_SATYPE_UNSPEC, 0, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	if (p + sizeof(xpl) != ep) {
+		free(newmsg);
+		return -1;
+	}
+	memset(&xpl, 0, sizeof(xpl));
+	xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
+	xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	xpl.sadb_x_policy_id = spid;
+	memcpy(p, &xpl, sizeof(xpl));
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * open a socket.
+ * OUT:
+ *	-1: fail.
+ *	others : success and return value of socket.
+ */
+int
+pfkey_open()
+{
+	int so;
+	const int bufsiz = 128 * 1024;	/*is 128K enough?*/
+
+	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	/*
+	 * This is a temporary workaround for KAME PR 154.
+	 * Don't really care even if it fails.
+	 */
+	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
+	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return so;
+}
+
+/*
+ * close a socket.
+ * OUT:
+ *	 0: success.
+ *	-1: fail.
+ */
+void
+pfkey_close(so)
+	int so;
+{
+	(void)close(so);
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return;
+}
+
+/*
+ * receive sadb_msg data, and return pointer to new buffer allocated.
+ * Must free this buffer later.
+ * OUT:
+ *	NULL	: error occured.
+ *	others	: a pointer to sadb_msg structure.
+ *
+ * XXX should be rewritten to pass length explicitly
+ */
+struct sadb_msg *
+pfkey_recv(so)
+	int so;
+{
+	struct sadb_msg buf, *newmsg;
+	int len, reallen;
+
+	while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
+		if (errno == EINTR)
+			continue;
+		__ipsec_set_strerror(strerror(errno));
+		return NULL;
+	}
+
+	if (len < sizeof(buf)) {
+		recv(so, (caddr_t)&buf, sizeof(buf), 0);
+		__ipsec_errcode = EIPSEC_MAX;
+		return NULL;
+	}
+
+	/* read real message */
+	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
+	if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) {
+		__ipsec_set_strerror(strerror(errno));
+		return NULL;
+	}
+
+	while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
+		if (errno == EINTR)
+			continue;
+		__ipsec_set_strerror(strerror(errno));
+		free(newmsg);
+		return NULL;
+	}
+
+	if (len != reallen) {
+		__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+		free(newmsg);
+		return NULL;
+	}
+
+	/* don't trust what the kernel says, validate! */
+	if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
+		__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+		free(newmsg);
+		return NULL;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return newmsg;
+}
+
+/*
+ * send message to a socket.
+ * OUT:
+ *	 others: success and return length sent.
+ *	-1     : fail.
+ */
+int
+pfkey_send(so, msg, len)
+	int so;
+	struct sadb_msg *msg;
+	int len;
+{
+	if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * %%% Utilities
+ * NOTE: These functions are derived from netkey/key.c in KAME.
+ */
+/*
+ * set the pointer to each header in this message buffer.
+ * IN:	msg: pointer to message buffer.
+ *	mhp: pointer to the buffer initialized like below:
+ *		caddr_t mhp[SADB_EXT_MAX + 1];
+ * OUT:	-1: invalid.
+ *	 0: valid.
+ *
+ * XXX should be rewritten to obtain length explicitly
+ */
+int
+pfkey_align(msg, mhp)
+	struct sadb_msg *msg;
+	caddr_t *mhp;
+{
+	struct sadb_ext *ext;
+	int i;
+	caddr_t p;
+	caddr_t ep;	/* XXX should be passed from upper layer */
+
+	/* validity check */
+	if (msg == NULL || mhp == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	/* initialize */
+	for (i = 0; i < SADB_EXT_MAX + 1; i++)
+		mhp[i] = NULL;
+
+	mhp[0] = (caddr_t)msg;
+
+	/* initialize */
+	p = (caddr_t) msg;
+	ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
+
+	/* skip base header */
+	p += sizeof(struct sadb_msg);
+
+	while (p < ep) {
+		ext = (struct sadb_ext *)p;
+		if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
+		    ep < p + PFKEY_EXTLEN(ext)) {
+			/* invalid format */
+			break;
+		}
+
+		/* duplicate check */
+		/* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
+		if (mhp[ext->sadb_ext_type] != NULL) {
+			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+			return -1;
+		}
+
+		/* set pointer */
+		switch (ext->sadb_ext_type) {
+		case SADB_EXT_SA:
+		case SADB_EXT_LIFETIME_CURRENT:
+		case SADB_EXT_LIFETIME_HARD:
+		case SADB_EXT_LIFETIME_SOFT:
+		case SADB_EXT_ADDRESS_SRC:
+		case SADB_EXT_ADDRESS_DST:
+		case SADB_EXT_ADDRESS_PROXY:
+		case SADB_EXT_KEY_AUTH:
+			/* XXX should to be check weak keys. */
+		case SADB_EXT_KEY_ENCRYPT:
+			/* XXX should to be check weak keys. */
+		case SADB_EXT_IDENTITY_SRC:
+		case SADB_EXT_IDENTITY_DST:
+		case SADB_EXT_SENSITIVITY:
+		case SADB_EXT_PROPOSAL:
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+		case SADB_EXT_SPIRANGE:
+		case SADB_X_EXT_POLICY:
+		case SADB_X_EXT_SA2:
+#ifdef SADB_X_EXT_NAT_T_TYPE
+		case SADB_X_EXT_NAT_T_TYPE:
+		case SADB_X_EXT_NAT_T_SPORT:
+		case SADB_X_EXT_NAT_T_DPORT:
+		case SADB_X_EXT_NAT_T_OA:
+#endif
+#ifdef SADB_X_EXT_TAG
+		case SADB_X_EXT_TAG:
+#endif
+			mhp[ext->sadb_ext_type] = (caddr_t)ext;
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+			return -1;
+		}
+
+		p += PFKEY_EXTLEN(ext);
+	}
+
+	if (p != ep) {
+		__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * check basic usage for sadb_msg,
+ * NOTE: This routine is derived from netkey/key.c in KAME.
+ * IN:	msg: pointer to message buffer.
+ *	mhp: pointer to the buffer initialized like below:
+ *
+ *		caddr_t mhp[SADB_EXT_MAX + 1];
+ *
+ * OUT:	-1: invalid.
+ *	 0: valid.
+ */
+int
+pfkey_check(mhp)
+	caddr_t *mhp;
+{
+	struct sadb_msg *msg;
+
+	/* validity check */
+	if (mhp == NULL || mhp[0] == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	msg = (struct sadb_msg *)mhp[0];
+
+	/* check version */
+	if (msg->sadb_msg_version != PF_KEY_V2) {
+		__ipsec_errcode = EIPSEC_INVAL_VERSION;
+		return -1;
+	}
+
+	/* check type */
+	if (msg->sadb_msg_type > SADB_MAX) {
+		__ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
+		return -1;
+	}
+
+	/* check SA type */
+	switch (msg->sadb_msg_satype) {
+	case SADB_SATYPE_UNSPEC:
+		switch (msg->sadb_msg_type) {
+		case SADB_GETSPI:
+		case SADB_UPDATE:
+		case SADB_ADD:
+		case SADB_DELETE:
+		case SADB_GET:
+		case SADB_ACQUIRE:
+		case SADB_EXPIRE:
+#ifdef SADB_X_NAT_T_NEW_MAPPING
+		case SADB_X_NAT_T_NEW_MAPPING:
+#endif
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_ESP:
+	case SADB_SATYPE_AH:
+	case SADB_X_SATYPE_IPCOMP:
+		switch (msg->sadb_msg_type) {
+		case SADB_X_SPDADD:
+		case SADB_X_SPDDELETE:
+		case SADB_X_SPDGET:
+		case SADB_X_SPDDUMP:
+		case SADB_X_SPDFLUSH:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+#ifdef SADB_X_NAT_T_NEW_MAPPING
+		if (msg->sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING &&
+		    msg->sadb_msg_satype != SADB_SATYPE_ESP) {
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+#endif
+		break;
+	case SADB_SATYPE_RSVP:
+	case SADB_SATYPE_OSPFV2:
+	case SADB_SATYPE_RIPV2:
+	case SADB_SATYPE_MIP:
+		__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+		return -1;
+	case 1:	/* XXX: What does it do ? */
+		if (msg->sadb_msg_type == SADB_X_PROMISC)
+			break;
+		/*FALLTHROUGH*/
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	/* check field of upper layer protocol and address family */
+	if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
+	 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
+		struct sadb_address *src0, *dst0;
+
+		src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
+		dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
+
+		if (src0->sadb_address_proto != dst0->sadb_address_proto) {
+			__ipsec_errcode = EIPSEC_PROTO_MISMATCH;
+			return -1;
+		}
+
+		if (PFKEY_ADDR_SADDR(src0)->sa_family
+		 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
+			__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+			return -1;
+		}
+
+		switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+			return -1;
+		}
+
+		/*
+		 * prefixlen == 0 is valid because there must be the case
+		 * all addresses are matched.
+		 */
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * set data into sadb_msg.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type, satype;
+	u_int tlen;
+	u_int32_t seq;
+	pid_t pid;
+{
+	struct sadb_msg *p;
+	u_int len;
+
+	p = (struct sadb_msg *)buf;
+	len = sizeof(struct sadb_msg);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_msg_version = PF_KEY_V2;
+	p->sadb_msg_type = type;
+	p->sadb_msg_errno = 0;
+	p->sadb_msg_satype = satype;
+	p->sadb_msg_len = PFKEY_UNIT64(tlen);
+	p->sadb_msg_reserved = 0;
+	p->sadb_msg_seq = seq;
+	p->sadb_msg_pid = (u_int32_t)pid;
+
+	return(buf + len);
+}
+
+/*
+ * copy secasvar data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
+	caddr_t buf;
+	caddr_t lim;
+	u_int32_t spi, flags;
+	u_int wsize, auth, enc;
+{
+	struct sadb_sa *p;
+	u_int len;
+
+	p = (struct sadb_sa *)buf;
+	len = sizeof(struct sadb_sa);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_sa_len = PFKEY_UNIT64(len);
+	p->sadb_sa_exttype = SADB_EXT_SA;
+	p->sadb_sa_spi = spi;
+	p->sadb_sa_replay = wsize;
+	p->sadb_sa_state = SADB_SASTATE_LARVAL;
+	p->sadb_sa_auth = auth;
+	p->sadb_sa_encrypt = enc;
+	p->sadb_sa_flags = flags;
+
+	return(buf + len);
+}
+
+/*
+ * set data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ * prefixlen is in bits.
+ */
+static caddr_t
+pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
+	caddr_t buf;
+	caddr_t lim;
+	u_int exttype;
+	struct sockaddr *saddr;
+	u_int prefixlen;
+	u_int ul_proto;
+{
+	struct sadb_address *p;
+	u_int len;
+
+	p = (struct sadb_address *)buf;
+	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(saddr));
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_address_len = PFKEY_UNIT64(len);
+	p->sadb_address_exttype = exttype & 0xffff;
+	p->sadb_address_proto = ul_proto & 0xff;
+	p->sadb_address_prefixlen = prefixlen;
+	p->sadb_address_reserved = 0;
+
+	memcpy(p + 1, saddr, sysdep_sa_len(saddr));
+
+	return(buf + len);
+}
+
+/*
+ * set sadb_key structure after clearing buffer with zero.
+ * OUT: the pointer of buf + len.
+ */
+static caddr_t
+pfkey_setsadbkey(buf, lim, type, key, keylen)
+	caddr_t buf;
+	caddr_t lim;
+	caddr_t key;
+	u_int type, keylen;
+{
+	struct sadb_key *p;
+	u_int len;
+
+	p = (struct sadb_key *)buf;
+	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_key_len = PFKEY_UNIT64(len);
+	p->sadb_key_exttype = type;
+	p->sadb_key_bits = keylen << 3;
+	p->sadb_key_reserved = 0;
+
+	memcpy(p + 1, key, keylen);
+
+	return buf + len;
+}
+
+/*
+ * set sadb_lifetime structure after clearing buffer with zero.
+ * OUT: the pointer of buf + len.
+ */
+static caddr_t
+pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type;
+	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
+{
+	struct sadb_lifetime *p;
+	u_int len;
+
+	p = (struct sadb_lifetime *)buf;
+	len = sizeof(struct sadb_lifetime);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_lifetime_len = PFKEY_UNIT64(len);
+	p->sadb_lifetime_exttype = type;
+
+	switch (type) {
+	case SADB_EXT_LIFETIME_SOFT:
+		p->sadb_lifetime_allocations
+			= (l_alloc * soft_lifetime_allocations_rate) /100;
+		p->sadb_lifetime_bytes
+			= (l_bytes * soft_lifetime_bytes_rate) /100;
+		p->sadb_lifetime_addtime
+			= (l_addtime * soft_lifetime_addtime_rate) /100;
+		p->sadb_lifetime_usetime
+			= (l_usetime * soft_lifetime_usetime_rate) /100;
+		break;
+	case SADB_EXT_LIFETIME_HARD:
+		p->sadb_lifetime_allocations = l_alloc;
+		p->sadb_lifetime_bytes = l_bytes;
+		p->sadb_lifetime_addtime = l_addtime;
+		p->sadb_lifetime_usetime = l_usetime;
+		break;
+	}
+
+	return buf + len;
+}
+
+/*
+ * copy secasvar data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbxsa2(buf, lim, mode0, reqid)
+	caddr_t buf;
+	caddr_t lim;
+	u_int32_t mode0;
+	u_int32_t reqid;
+{
+	struct sadb_x_sa2 *p;
+	u_int8_t mode = mode0 & 0xff;
+	u_int len;
+
+	p = (struct sadb_x_sa2 *)buf;
+	len = sizeof(struct sadb_x_sa2);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_x_sa2_len = PFKEY_UNIT64(len);
+	p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	p->sadb_x_sa2_mode = mode;
+	p->sadb_x_sa2_reqid = reqid;
+
+	return(buf + len);
+}
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+static caddr_t
+pfkey_set_natt_type(buf, lim, type, l_natt_type)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type;
+	u_int8_t l_natt_type;
+{
+	struct sadb_x_nat_t_type *p;
+	u_int len;
+
+	p = (struct sadb_x_nat_t_type *)buf;
+	len = sizeof(struct sadb_x_nat_t_type);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
+	p->sadb_x_nat_t_type_exttype = type;
+	p->sadb_x_nat_t_type_type = l_natt_type;
+
+	return(buf + len);
+}
+
+static caddr_t
+pfkey_set_natt_port(buf, lim, type, l_natt_port)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type;
+	u_int16_t l_natt_port;
+{
+	struct sadb_x_nat_t_port *p;
+	u_int len;
+
+	p = (struct sadb_x_nat_t_port *)buf;
+	len = sizeof(struct sadb_x_nat_t_port);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
+	p->sadb_x_nat_t_port_exttype = type;
+	p->sadb_x_nat_t_port_port = htons(l_natt_port);
+
+	return(buf + len);
+}
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static caddr_t
+pfkey_set_natt_frag(buf, lim, type, l_natt_frag)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type;
+	u_int16_t l_natt_frag;
+{
+	struct sadb_x_nat_t_frag *p;
+	u_int len;
+
+	p = (struct sadb_x_nat_t_frag *)buf;
+	len = sizeof(struct sadb_x_nat_t_frag);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
+	p->sadb_x_nat_t_frag_exttype = type;
+	p->sadb_x_nat_t_frag_fraglen = l_natt_frag;
+
+	return(buf + len);
+}
+#endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,694 @@
+/*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+#include <net/pfkeyv2.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+#include "libpfkey.h"
+
+/* cope with old kame headers - ugly */
+#ifndef SADB_X_AALG_MD5
+#define SADB_X_AALG_MD5		SADB_AALG_MD5	
+#endif
+#ifndef SADB_X_AALG_SHA
+#define SADB_X_AALG_SHA		SADB_AALG_SHA
+#endif
+#ifndef SADB_X_AALG_NULL
+#define SADB_X_AALG_NULL	SADB_AALG_NULL
+#endif
+
+#ifndef SADB_X_EALG_BLOWFISHCBC
+#define SADB_X_EALG_BLOWFISHCBC	SADB_EALG_BLOWFISHCBC
+#endif
+#ifndef SADB_X_EALG_CAST128CBC
+#define SADB_X_EALG_CAST128CBC	SADB_EALG_CAST128CBC
+#endif
+#ifndef SADB_X_EALG_RC5CBC
+#ifdef SADB_EALG_RC5CBC
+#define SADB_X_EALG_RC5CBC	SADB_EALG_RC5CBC
+#endif
+#endif
+
+#define GETMSGSTR(str, num) \
+do { \
+	if (sizeof((str)[0]) == 0 \
+	 || num >= sizeof(str)/sizeof((str)[0])) \
+		printf("%u ", (num)); \
+	else if (strlen((str)[(num)]) == 0) \
+		printf("%u ", (num)); \
+	else \
+		printf("%s ", (str)[(num)]); \
+} while (0)
+
+#define GETMSGV2S(v2s, num) \
+do { \
+	struct val2str *p;  \
+	for (p = (v2s); p && p->str; p++) { \
+		if (p->val == (num)) \
+			break; \
+	} \
+	if (p && p->str) \
+		printf("%s ", p->str); \
+	else \
+		printf("%u ", (num)); \
+} while (0)
+
+static char *str_ipaddr __P((struct sockaddr *));
+static char *str_prefport __P((u_int, u_int, u_int, u_int));
+static void str_upperspec __P((u_int, u_int, u_int));
+static char *str_time __P((time_t));
+static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
+
+struct val2str {
+	int val;
+	const char *str;
+};
+
+/*
+ * Must to be re-written about following strings.
+ */
+static char *str_satype[] = {
+	"unspec",
+	"unknown",
+	"ah",
+	"esp",
+	"unknown",
+	"rsvp",
+	"ospfv2",
+	"ripv2",
+	"mip",
+	"ipcomp",
+};
+
+static char *str_mode[] = {
+	"any",
+	"transport",
+	"tunnel",
+};
+
+static char *str_state[] = {
+	"larval",
+	"mature",
+	"dying",
+	"dead",
+};
+
+static struct val2str str_alg_auth[] = {
+	{ SADB_AALG_NONE, "none", },
+	{ SADB_AALG_MD5HMAC, "hmac-md5", },
+	{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
+	{ SADB_X_AALG_MD5, "md5", },
+	{ SADB_X_AALG_SHA, "sha", },
+	{ SADB_X_AALG_NULL, "null", },
+#ifdef SADB_X_AALG_SHA2_256
+	{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
+#endif
+#ifdef SADB_X_AALG_SHA2_384
+	{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
+#endif
+#ifdef SADB_X_AALG_SHA2_512
+	{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
+#endif
+#ifdef SADB_X_AALG_RIPEMD160HMAC
+	{ SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
+#endif
+#ifdef SADB_X_AALG_AES_XCBC_MAC
+	{ SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", },
+#endif
+	{ -1, NULL, },
+};
+
+static struct val2str str_alg_enc[] = {
+	{ SADB_EALG_NONE, "none", },
+	{ SADB_EALG_DESCBC, "des-cbc", },
+	{ SADB_EALG_3DESCBC, "3des-cbc", },
+	{ SADB_EALG_NULL, "null", },
+#ifdef SADB_X_EALG_RC5CBC
+	{ SADB_X_EALG_RC5CBC, "rc5-cbc", },
+#endif
+	{ SADB_X_EALG_CAST128CBC, "cast128-cbc", },
+	{ SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
+#ifdef SADB_X_EALG_AESCBC
+	{ SADB_X_EALG_AESCBC, "aes-cbc", },
+#endif
+#ifdef SADB_X_EALG_TWOFISHCBC
+	{ SADB_X_EALG_TWOFISHCBC, "twofish-cbc", },
+#endif
+#ifdef SADB_X_EALG_AESCTR
+	{ SADB_X_EALG_AESCTR, "aes-ctr", },
+#endif
+	{ -1, NULL, },
+};
+
+static struct val2str str_alg_comp[] = {
+	{ SADB_X_CALG_NONE, "none", },
+	{ SADB_X_CALG_OUI, "oui", },
+	{ SADB_X_CALG_DEFLATE, "deflate", },
+	{ SADB_X_CALG_LZS, "lzs", },
+	{ -1, NULL, },
+};
+
+/*
+ * dump SADB_MSG formated.  For debugging, you should use kdebug_sadb().
+ */
+void
+pfkey_sadump(m)
+	struct sadb_msg *m;
+{
+	caddr_t mhp[SADB_EXT_MAX + 1];
+	struct sadb_sa *m_sa;
+	struct sadb_x_sa2 *m_sa2;
+	struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
+	struct sadb_address *m_saddr, *m_daddr, *m_paddr;
+	struct sadb_key *m_auth, *m_enc;
+	struct sadb_ident *m_sid, *m_did;
+	struct sadb_sens *m_sens;
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	struct sadb_x_nat_t_type *natt_type;
+	struct sadb_x_nat_t_port *natt_sport, *natt_dport;
+	struct sadb_address *natt_oa;
+
+	int use_natt = 0;
+#endif
+
+	/* check pfkey message. */
+	if (pfkey_align(m, mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+	if (pfkey_check(mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+
+	m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+	m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
+	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
+	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+	m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
+	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+	m_paddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_PROXY];
+	m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
+	m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
+	m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
+	m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
+	m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE];
+	natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT];
+	natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT];
+	natt_oa = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OA];
+
+	if (natt_type && natt_type->sadb_x_nat_t_type_type)
+		use_natt = 1;
+#endif
+
+	/* source address */
+	if (m_saddr == NULL) {
+		printf("no ADDRESS_SRC extension.\n");
+		return;
+	}
+	printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	if (use_natt && natt_sport)
+		printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
+#endif
+	printf(" ");
+
+	/* destination address */
+	if (m_daddr == NULL) {
+		printf(" no ADDRESS_DST extension.\n");
+		return;
+	}
+	printf("%s", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	if (use_natt && natt_dport)
+		printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
+#endif
+	printf(" ");
+
+	/* SA type */
+	if (m_sa == NULL) {
+		printf("no SA extension.\n");
+		return;
+	}
+	if (m_sa2 == NULL) {
+		printf("no SA2 extension.\n");
+		return;
+	}
+	printf("\n\t");
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	if (use_natt && m->sadb_msg_satype == SADB_SATYPE_ESP)
+		printf("esp-udp ");
+	else if (use_natt)
+		printf("natt+");
+
+	if (!use_natt || m->sadb_msg_satype != SADB_SATYPE_ESP)
+#endif
+	GETMSGSTR(str_satype, m->sadb_msg_satype);
+
+	printf("mode=");
+	GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode);
+
+	printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
+		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
+		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
+		(u_int32_t)m_sa2->sadb_x_sa2_reqid,
+		(u_int32_t)m_sa2->sadb_x_sa2_reqid);
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+	/* other NAT-T information */
+	if (use_natt && natt_oa)
+		printf("\tNAT OA=%s\n",
+		       str_ipaddr((struct sockaddr *)(natt_oa + 1)));
+#endif
+
+	/* encryption key */
+	if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
+		printf("\tC: ");
+		GETMSGV2S(str_alg_comp, m_sa->sadb_sa_encrypt);
+	} else if (m->sadb_msg_satype == SADB_SATYPE_ESP) {
+		if (m_enc != NULL) {
+			printf("\tE: ");
+			GETMSGV2S(str_alg_enc, m_sa->sadb_sa_encrypt);
+			ipsec_hexdump((caddr_t)m_enc + sizeof(*m_enc),
+				      m_enc->sadb_key_bits / 8);
+			printf("\n");
+		}
+	}
+
+	/* authentication key */
+	if (m_auth != NULL) {
+		printf("\tA: ");
+		GETMSGV2S(str_alg_auth, m_sa->sadb_sa_auth);
+		ipsec_hexdump((caddr_t)m_auth + sizeof(*m_auth),
+		              m_auth->sadb_key_bits / 8);
+		printf("\n");
+	}
+
+	/* replay windoe size & flags */
+	printf("\tseq=0x%08x replay=%u flags=0x%08x ",
+		m_sa2->sadb_x_sa2_sequence,
+		m_sa->sadb_sa_replay,
+		m_sa->sadb_sa_flags);
+
+	/* state */
+	printf("state=");
+	GETMSGSTR(str_state, m_sa->sadb_sa_state);
+	printf("\n");
+
+	/* lifetime */
+	if (m_lftc != NULL) {
+		time_t tmp_time = time(0);
+
+		printf("\tcreated: %s",
+			str_time(m_lftc->sadb_lifetime_addtime));
+		printf("\tcurrent: %s\n", str_time(tmp_time));
+		printf("\tdiff: %lu(s)",
+			(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
+			0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
+
+		printf("\thard: %lu(s)",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_addtime));
+		printf("\tsoft: %lu(s)\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_addtime));
+
+		printf("\tlast: %s",
+			str_time(m_lftc->sadb_lifetime_usetime));
+		printf("\thard: %lu(s)",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_usetime));
+		printf("\tsoft: %lu(s)\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_usetime));
+
+		str_lifetime_byte(m_lftc, "current");
+		str_lifetime_byte(m_lfth, "hard");
+		str_lifetime_byte(m_lfts, "soft");
+		printf("\n");
+
+		printf("\tallocated: %lu",
+			(unsigned long)m_lftc->sadb_lifetime_allocations);
+		printf("\thard: %lu",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_allocations));
+		printf("\tsoft: %lu\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_allocations));
+	}
+
+	printf("\tsadb_seq=%lu pid=%lu ",
+		(u_long)m->sadb_msg_seq,
+		(u_long)m->sadb_msg_pid);
+
+	/* XXX DEBUG */
+	printf("refcnt=%u\n", m->sadb_msg_reserved);
+
+	return;
+}
+
+void
+pfkey_spdump(m)
+	struct sadb_msg *m;
+{
+	char pbuf[NI_MAXSERV];
+	caddr_t mhp[SADB_EXT_MAX + 1];
+	struct sadb_address *m_saddr, *m_daddr;
+#ifdef SADB_X_EXT_TAG
+	struct sadb_x_tag *m_tag;
+#endif
+	struct sadb_x_policy *m_xpl;
+	struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
+	struct sockaddr *sa;
+	u_int16_t sport = 0, dport = 0;
+
+	/* check pfkey message. */
+	if (pfkey_align(m, mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+	if (pfkey_check(mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+
+	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+#ifdef SADB_X_EXT_TAG
+	m_tag = (struct sadb_x_tag *)mhp[SADB_X_EXT_TAG];
+#endif
+	m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
+	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+
+#ifdef __linux__
+	/* *bsd indicates per-socket policies by omiting src and dst 
+	 * extensions. Linux always includes them, but we can catch it
+	 * by checkin for policy id.
+	 */
+	if (m_xpl->sadb_x_policy_id % 8 >= 3) {
+		printf("(per-socket policy) ");
+	} else
+#endif
+	if (m_saddr && m_daddr) {
+		/* source address */
+		sa = (struct sockaddr *)(m_saddr + 1);
+		switch (sa->sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			if (getnameinfo(sa, sysdep_sa_len(sa), NULL, 0,
+			    pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
+				sport = 0;	/*XXX*/
+			else
+				sport = atoi(pbuf);
+			printf("%s%s ", str_ipaddr(sa),
+				str_prefport(sa->sa_family,
+				    m_saddr->sadb_address_prefixlen, sport,
+				    m_saddr->sadb_address_proto));
+			break;
+		default:
+			printf("unknown-af ");
+			break;
+		}
+
+		/* destination address */
+		sa = (struct sockaddr *)(m_daddr + 1);
+		switch (sa->sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			if (getnameinfo(sa, sysdep_sa_len(sa), NULL, 0,
+			    pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
+				dport = 0;	/*XXX*/
+			else
+				dport = atoi(pbuf);
+			printf("%s%s ", str_ipaddr(sa),
+				str_prefport(sa->sa_family,
+				    m_daddr->sadb_address_prefixlen, dport,
+				    m_saddr->sadb_address_proto));
+			break;
+		default:
+			printf("unknown-af ");
+			break;
+		}
+
+		/* upper layer protocol */
+		if (m_saddr->sadb_address_proto !=
+		    m_daddr->sadb_address_proto) {
+			printf("upper layer protocol mismatched.\n");
+			return;
+		}
+		str_upperspec(m_saddr->sadb_address_proto, sport, dport);
+	}
+#ifdef SADB_X_EXT_TAG
+	else if (m_tag)
+		printf("tagged \"%s\" ", m_tag->sadb_x_tag_name);
+#endif
+	else
+		printf("(no selector, probably per-socket policy) ");
+
+	/* policy */
+    {
+	char *d_xpl;
+
+	if (m_xpl == NULL) {
+		printf("no X_POLICY extension.\n");
+		return;
+	}
+	d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
+	if (!d_xpl)
+		printf("\n\tPolicy:[%s]\n", ipsec_strerror());
+	else {
+		/* dump SPD */
+		printf("\n\t%s\n", d_xpl);
+		free(d_xpl);
+	}
+    }
+
+	/* lifetime */
+	if (m_lftc) {
+		printf("\tcreated: %s  ",
+			str_time(m_lftc->sadb_lifetime_addtime));
+		printf("lastused: %s\n",
+			str_time(m_lftc->sadb_lifetime_usetime));
+	}
+	if (m_lfth) {
+		printf("\tlifetime: %lu(s) ",
+			(u_long)m_lfth->sadb_lifetime_addtime);
+		printf("validtime: %lu(s)\n",
+			(u_long)m_lfth->sadb_lifetime_usetime);
+	}
+
+
+	printf("\tspid=%ld seq=%ld pid=%ld\n",
+		(u_long)m_xpl->sadb_x_policy_id,
+		(u_long)m->sadb_msg_seq,
+		(u_long)m->sadb_msg_pid);
+
+	/* XXX TEST */
+	printf("\trefcnt=%u\n", m->sadb_msg_reserved);
+
+	return;
+}
+
+/*
+ * set "ipaddress" to buffer.
+ */
+static char *
+str_ipaddr(sa)
+	struct sockaddr *sa;
+{
+	static char buf[NI_MAXHOST];
+	const int niflag = NI_NUMERICHOST;
+
+	if (sa == NULL)
+		return "";
+
+	if (getnameinfo(sa, sysdep_sa_len(sa), buf, sizeof(buf), NULL, 0, niflag) == 0)
+		return buf;
+	return NULL;
+}
+
+/*
+ * set "/prefix[port number]" to buffer.
+ */
+static char *
+str_prefport(family, pref, port, ulp)
+	u_int family, pref, port, ulp;
+{
+	static char buf[128];
+	char prefbuf[128];
+	char portbuf[128];
+	int plen;
+
+	switch (family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		return "?";
+	}
+
+	if (pref == plen)
+		prefbuf[0] = '\0';
+	else
+		snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
+
+	if (ulp == IPPROTO_ICMPV6)
+		memset(portbuf, 0, sizeof(portbuf));
+	else {
+		if (port == IPSEC_PORT_ANY)
+			snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+		else
+			snprintf(portbuf, sizeof(portbuf), "[%u]", port);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
+
+	return buf;
+}
+
+static void
+str_upperspec(ulp, p1, p2)
+	u_int ulp, p1, p2;
+{
+	if (ulp == IPSEC_ULPROTO_ANY)
+		printf("any");
+	else if (ulp == IPPROTO_ICMPV6) {
+		printf("icmp6");
+		if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
+			printf(" %u,%u", p1, p2);
+	} else {
+		struct protoent *ent;
+
+		switch (ulp) {
+		case IPPROTO_IPV4:
+			printf("ip4");
+			break;
+		default:
+			ent = getprotobynumber(ulp);
+			if (ent)
+				printf("%s", ent->p_name);
+			else
+				printf("%u", ulp);
+
+			endprotoent();
+			break;
+		}
+	}
+}
+
+/*
+ * set "Mon Day Time Year" to buffer
+ */
+static char *
+str_time(t)
+	time_t t;
+{
+	static char buf[128];
+
+	if (t == 0) {
+		int i = 0;
+		for (;i < 20;) buf[i++] = ' ';
+	} else {
+		char *t0;
+		t0 = ctime(&t);
+		memcpy(buf, t0 + 4, 20);
+	}
+
+	buf[20] = '\0';
+
+	return(buf);
+}
+
+static void
+str_lifetime_byte(x, str)
+	struct sadb_lifetime *x;
+	char *str;
+{
+	double y;
+	char *unit;
+	int w;
+
+	if (x == NULL) {
+		printf("\t%s: 0(bytes)", str);
+		return;
+	}
+
+#if 0
+	if ((x->sadb_lifetime_bytes) / 1024 / 1024) {
+		y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024;
+		unit = "M";
+		w = 1;
+	} else if ((x->sadb_lifetime_bytes) / 1024) {
+		y = (x->sadb_lifetime_bytes) * 1.0 / 1024;
+		unit = "K";
+		w = 1;
+	} else {
+		y = (x->sadb_lifetime_bytes) * 1.0;
+		unit = "";
+		w = 0;
+	}
+#else
+	y = (x->sadb_lifetime_bytes) * 1.0;
+	unit = "";
+	w = 0;
+#endif
+	printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sat Feb 12 11:11:11 2005 +0000
@@ -0,0 +1,614 @@
+/*	$KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * IN/OUT bound policy configuration take place such below:
+ *	in <priority> <policy>
+ *	out <priority> <policy>
+ *
+ * <priority> is one of the following:
+ * priority <signed int> where the integer is an offset from the default
+ *                       priority, where negative numbers indicate lower
+ *                       priority (towards end of list) and positive numbers 
+ *                       indicate higher priority (towards beginning of list)
+ *
+ * priority {low,def,high} {+,-} <unsigned int>  where low and high are
+ *                                               constants which are closer
+ *                                               to the end of the list and
+ *                                               beginning of the list,
+ *                                               respectively
+ *
+ * <policy> is one of following:
+ *	"discard", "none", "ipsec <requests>", "entrust", "bypass",
+ *
+ * The following requests are accepted as <requests>:
+ *
+ *	protocol/mode/src-dst/level
+ *	protocol/mode/src-dst		parsed as protocol/mode/src-dst/default
+ *	protocol/mode/src-dst/		parsed as protocol/mode/src-dst/default
+ *	protocol/transport		parsed as protocol/mode/any-any/default
+ *	protocol/transport//level	parsed as protocol/mode/any-any/level
+ *
+ * You can concatenate these requests with either ' '(single space) or '\n'.
+ */
+
+%{
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else
+#  include <netinet/ipsec.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+
+#include <errno.h>
+
+#include "config.h"
+
+#include "ipsec_strerror.h"
+#include "libpfkey.h"
+
+#ifndef INT32_MAX
+#define INT32_MAX	(0xffffffff)
+#endif
+
+#ifndef INT32_MIN
+#define INT32_MIN	(-INT32_MAX-1)
+#endif
+
+#define ATOX(c) \
+  (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
+
+static u_int8_t *pbuf = NULL;		/* sadb_x_policy buffer */
+static int tlen = 0;			/* total length of pbuf */
+static int offset = 0;			/* offset of pbuf */
+static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
+static u_int32_t p_priority = 0;
+static long p_priority_offset = 0;
+static struct sockaddr *p_src = NULL;
+static struct sockaddr *p_dst = NULL;
+
+struct _val;
+extern void yyerror __P((char *msg));
+static struct sockaddr *parse_sockaddr __P((struct _val *buf));
+static int rule_check __P((void));
+static int init_x_policy __P((void));
+static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
+static int set_sockaddr __P((struct sockaddr *addr));
+static void policy_parse_request_init __P((void));
+static caddr_t policy_parse __P((char *msg, int msglen));
+
+extern void __policy__strbuffer__init__ __P((char *msg));
+extern void __policy__strbuffer__free__ __P((void));
+extern int yyparse __P((void));
+extern int yylex __P((void));
+
+extern char *__libipsectext;	/*XXX*/
+
+%}
+
+%union {
+	u_int num;
+	u_int32_t num32;
+	struct _val {
+		int len;
+		char *buf;
+	} val;
+}
+
+%token DIR 
+%token PRIORITY PLUS
+%token <num32> PRIO_BASE 
+%token <val> PRIO_OFFSET 
+%token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS
+%token ME ANY
+%token SLASH HYPHEN
+%type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL
+%type <val> IPADDRESS LEVEL_SPECIFY
+
+%%
+policy_spec
+	:	DIR ACTION
+		{
+			p_dir = $1;
+			p_type = $2;
+
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+			p_priority = PRIORITY_DEFAULT;
+#else
+			p_priority = 0;
+#endif
+
+			if (init_x_policy())
+				return -1;
+		}
+		rules
+	|	DIR PRIORITY PRIO_OFFSET ACTION
+		{
+			char *offset_buf;
+
+			p_dir = $1;
+			p_type = $4;
+
+			/* buffer big enough to hold a prepended negative sign */
+			offset_buf = malloc($3.len + 2);
+			if (offset_buf == NULL) 
+			{
+				__ipsec_errcode = EIPSEC_NO_BUFS;
+				return -1;
+			}
+
+			/* positive input value means higher priority, therefore lower
+			   actual value so that is closer to the beginning of the list */
+			sprintf (offset_buf, "-%s", $3.buf);
+
+			errno = 0;
+			p_priority_offset = atol(offset_buf);
+
+			free(offset_buf);
+
+			if (errno != 0 || p_priority_offset < INT32_MIN)
+			{
+				__ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
+				return -1;
+			}
+
+			p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
+
+			if (init_x_policy())
+				return -1;
+		}
+		rules
+	|	DIR PRIORITY HYPHEN PRIO_OFFSET ACTION
+		{
+			p_dir = $1;
+			p_type = $5;
+
+			errno = 0;
+			p_priority_offset = atol($4.buf);
+
+			if (errno != 0 || p_priority_offset > INT32_MAX)
+			{
+				__ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
+				return -1;
+			}
+
+			/* negative input value means lower priority, therefore higher
+			   actual value so that is closer to the end of the list */
+			p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
+
+			if (init_x_policy())
+				return -1;
+		}
+		rules
+	|	DIR PRIORITY PRIO_BASE ACTION
+		{
+			p_dir = $1;
+			p_type = $4;
+